b"   Report No. D-2007-133           September 28, 2007\n\n\n\n\nDefense Civilian Pay System Controls Placed in Operation\n and Tests of Operating Effectiveness for the Period of\n          July 1, 2006 Through June 30, 2007\n\x0cAdditional Information and Copies\n\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service prepared this report. If you have questions or\nwould like to obtain additional copies of the draft report, contact Ms. Holly\nWilliams at (703) 325-3557 (DSN 221-3557) or Ms. Donna A. Roberts at (703)\n428-1070 (DSN 328-1070).\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Office of the Deputy\nInspector General for Auditing at (703) 604-8940 (DSN 664-8940) or fax (703)\n604-8932. Ideas and requests can also be mailed to:\n\n                     ODIG-AUD (ATTN: Audit Suggestions)\n                     Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\x0c                             INSPECTOR GENERAL\n\n                           DEPARTMENT OF DEFENSE\n\n                            400 ARMY NAVY DRIVE\n\n                       ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n\n                                                                     September 28, 2007\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE\n                 (COMPTROLLER)/CHIEF FINANCIAL OFFICER\n               ASSISTANT SECRETARY OF DEFENSE (NETWORKS\n                 AND INFORMATION INTEGRATION)/DOD CHIEF\n                 INFORMATION OFFICER\n               DIRECTOR, DEFENSE FINANCE AND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSE INFORMATION SYSTEMS\n                 AGENCY\n\nSUBJECT:\t Defense Civilian Pay System Controls Placed in Operation and Tests of\n          Operating Effectiveness for the Period July 1, 2006, through June 30, 2007\n          (Report No. D-2007-133)\n\n\nWe are providing this report for your information and use. No written response to this\nreport is required. Therefore, we are publishing this report in final form.\n\nWe appreciate the courtesies extended to the staff. Questions should be directed to\nMs. Holly Williams at (703) 325-3557 (DSN 221-3557) or Ms. Donna A. Roberts at\n(703) 428-1070 (DSN 328-1070). The audit team members are listed inside the back\ncover.\n\n                              By direction of the Deputy Inspector General for Auditing:\n\n\n                                     fJ~ O.IfI~\n                                     fl. r: Paul J. Granetto, CPA\n                                      Assistant Inspector General\n                                      Defense Financial Auditing\n                                                Service\n\x0c\x0cTable of Contents \n\nForeword                                                                      i\n\n\nSection I\n\n      Independent Service Auditor\xe2\x80\x99s Report                                   1\n\n\nSection II\n      Description of DCPS Operations and Controls Provided by DFAS and \n\n         DISA                                                               13     \n\n\nSection III \n\n      Control Objectives, Control Activities, and Tests of Operating \n\n         Effectiveness                                                      23\n\nSection IV \n\n      Supplemental Information Provided by DFAS and DISA                   117 \n\n\nAcronyms and Abbreviations                                                 121\n\n\nReport Distribution                                                        123\n\n\x0c                                       Foreword\n\nThis report is intended for the use of Defense Finance and Accounting Service (DFAS)\nand Defense Information Systems Agency management, its user organizations, and the\nindependent auditors of its user organizations. Department of Defense personnel who\nmanage and use the Defense Civilian Pay System (DCPS) will also find this report of\ninterest as it contains information about DCPS general and application controls.\n\nThe Department of Defense, Office of Inspector General (DoD OIG) is implementing a\nlong range strategy to conduct audits of DoD financial statements. The Chief Financial\nOfficer\xe2\x80\x99s Act of 1990 (P.L. 101-576), as amended, mandates that agencies prepare and\nconduct audits of financial statements, which is key to achieving the goals of the Chief\nFinancial Officers Act.\n\nThe DCPS is a pay processing system used to pay DoD civilian employees, as well as\nemployees at several other Federal entities, including the Departments of Energy, Health\nand Human Services, and the Executive Office of the President. As of June 30, 2006,\nDCPS processed pay for approximately 798,000 employees.\n\nThis audit assessed controls over the DCPS processes at DFAS and DISA. This report\nprovides an opinion on the fairness of presentation, the adequacy of design, and the\noperating effectiveness of key controls that are relevant to audits of user organization\nfinancial statements. As a result, this audit precludes the need for multiple audits of\nDCPS performed by user organizations to plan or conduct financial statement and\nperformance audits. This audit will also provide, in a separate audit report,\nrecommendations to management for correction of identified control deficiencies.\nEffective internal control is critical to achieving reliable information for all management\nreporting and decision making.\n\n\n\n\n                                             i\n\x0cSection I: Independent Service Auditor\xe2\x80\x99s Report \n\n\n\n\n\n                       1\n\n\x0c\x0c                              INSPECTOR GENERAL\n\n                              DEPARTMENT OF DEFENSE\n\n                                400 ARMY NAVY DRIVE\n\n                           ARLINGTON, VIRGINIA 22202-4704\n\n                                                                         SEP 28 7007\n\nMEMORANDUM FOR UNDER SECRETARYOF DEFENSE\n                 (COMPTROLLER)/CHIEF FINANCIAL OFFICER\n               ASSISTANT SECRETARY OF DEFENSE (NETWORKS\n                 AND INFORMATION INTEGRATION)/DOD CHIEF\n                 INFORMATION OFFICER\n               DIRECTOR, DEFENSE FINANCEAND ACCOUNTING\n                 SERVICE\n               DIRECTOR, DEFENSEINFORMATION SYSTEMS\n                 AGENCY\nSUBJECT: Defense Civilian Pay System Controls Placed in Operation and Tests of\n         OperatingEffectivenessfor the Period July 1,2006, through June 30, 2007\n\nWe have examined the accompanying description of the general computerand\napplicationcontrols related to the Defense Civilian Pay System (DCPS) (Section II). The\nDefense Finance and Accounting Service-Headquarters (DFAS-I-IQ) provides\nmanagement control and coordination within DoD and has overall responsibility for\nimplementation and applicationof DCPS, DCPS is maintained and supported by the\nDFAS technical support elements and the Defense InformationSystems Agency (DISA).\nAs such, the DCPS general computer and applicationcontrols are managed by both DISA\nand DFAS. Our examination includedprocedures to obtain reasonable assurance about\nwhether (I) the accompanying description presents fairly, in all material respects, the\naspects of the controls at DFAS and DISA that may be relevant to a DCPS user\norganization's internal controls as it relates to an audit of financial statements; (2) the\ncontrols included in the description were suitably designed to achieve the control\nobjectives specified in the description, ifthose controls were complied with satisfactorily,\nand nser organizations applied those aspects of internal controls contemplatedin the\ndesign of the controls at DFAS and DISA; and (3) such controls had been placed in\noperationas of June 30, 2007.\n\nThe control objectives were specified by the Department of Defense Office ofthe\nInspectorGeneral (DoD OIG). We performed our examination in accordance with\nAmerican Institute of Certified Public Accountants standards and applicable financial\naudit standards contained in Government AuditingStandards issued by the Comptroller\nGeneral of the United States, and included those procedures we considerednecessary in\nthe circumstances to obtain a reasonable basis for rendering our opinion.\nThe DCPS general computer control environmentincludes certain controls that are\npervasive across the DISA Defense Enterprise Computing Center (DECC)\nMechanicsburg data center that houses DCPS, These types of pervasive controls include:\n   \xe2\x80\xa2\t overall security planning (e.g., DECC risk assessments, site security plans, security\n      managementstructure);\n   \xe2\x80\xa2\t general employee processes (e.g., background investigations, position and job\n      descriptions);\n   \xe2\x80\xa2\t group authentication;\n   \xe2\x80\xa2\t physical security;\n                                            3\n\x0c           \xe2\x80\xa2\t network administration (for example, firewalls, network scans, remote\n              access, network monitoring, use of mobile code);\n           \xe2\x80\xa2\t incident response;\n           \xe2\x80\xa2\t environmental controls; and\n           \xe2\x80\xa2\t hardware maintenance.\n\nThe accompanying description does not include control objectives and control activity\ndescriptions related to these pervasive controls, and our examination did not extend to\nthese controls at the DISA DECC Mechanicsburg data center.\n\nThe accompanying description includes only those application control objectives and\nrelated controls resident at the Charleston, South Carolina; Pensacola, Florida;\nIndianapolis, Indiana; and Denver, Colorado Payroll Offices. DCPS processes\napproximately 81 interface files from DoD and external systems. Examples of these\ninterface systems include the Defense Civilian Personnel Data System, Federal Reserve,\nThrift Savings Plan, and the Department of Treasury. The accompanying description\ndoes not include control objectives and general and application controls related to the\nsystems that interface with DCPS. Our examination did not extend to the controls\nresident at the National Security Agency (NSA) and Cleveland, Ohio Payroll Offices and\ncontrols-related systems that interface with DCPS. Furthermore, because of the sensitive\nnature of the pay information for personnel who work for the Executive Office of the\nPresident (EOP), our examination did not extend to the controls over EOP payee\ntransactions.\n\nDCPS began processing pay for the Department of Veterans Affairs (VA) payees on\nSeptember 16, 2006, at the Pensacola, Florida Payroll Office. The payroll processing\nresponsibilities were moved to the Indianapolis, Indiana Payroll Office as of May 13,\n2007. Therefore, our examination only covered controls in place for VA payroll\nprocessing at the Pensacola, Florida Payroll Office for the period of August 20, 2006, to\nMay 12, 2007, and only covered controls in place for the VA payroll processing at\nIndianapolis, Indiana Payroll Office for the period of May 13, 2007, to June 30, 2007.\n\nOur examination was conducted for the purpose of forming an opinion on the description\nof the DCPS general and application controls at DFAS and DISA (Section II). Business\ncontinuity plans and procedures at DFAS and DISA, as provided by DFAS and DISA\nrespectively and included in Section IV, is presented to provide additional information to\nuser organizations and is not a part of the description of controls at DFAS and DISA.\nThe information in Section IV has not been subjected to the procedures applied in the\nexamination of the aforementioned description of the controls at DFAS and DISA.\nAccordingly, we do not express an opinion on the description of the business continuity\nplans and procedures provided by DFAS and DISA.\n\nIn our opinion, the accompanying description of the DCPS general computer and\napplication controls at DFAS and DISA (Section II) presents fairly, in all material\nrespects, the relevant aspects of the controls at DFAS and DISA that had been placed in\noperation as of June 30, 2007. Also, in our opinion, the controls, as described, are\nsuitably designed to provide reasonable assurance that the specified control objectives\nwould be achieved if the described controls were complied with satisfactorily, and users\napplied those aspects of internal control contemplated in the design of the controls at\nDFAS and DISA.\n\n\n                                            4\n\n\x0cIn addition to the procedures that we considered necessary to render our opinion as\nexpressed in the previous paragraph, we applied tests to specified controls, listed in\nSection III, to obtain evidence about their effectiveness in meeting the related control\nobjectives described in Section III during the period of July 1, 2006, through June 30,\n2007. The specific control objectives, controls, and the nature, timing, extent, and results\nof the tests are documented in Section III. This information has been provided to DCPS\nuser organizations and to their auditors to be taken into consideration, along with\ninformation about the user organizations\xe2\x80\x99 internal control environments, when making\nassessments of control risk for such user organizations.\n\nIn performing our examination, we identified the following operating effectiveness\ndeficiencies related to the controls described in the \xe2\x80\x9cDescription of DCPS Operations and\nControls Provided by DFAS and DISA\xe2\x80\x9d (Section II):\n\nDCPS User Access\n\nDFAS requires every DCPS user to complete a System Access Authorization Request\n(SAAR) form. The SAAR form documents user access and must be signed by a\nsupervisor indicating that such access has been approved. Upon examining a selection of\n42 forms for DCPS non-payroll office users, we identified:\n\n   \xe2\x80\xa2\t 1 form had a user type that did not match the user type in the list of DCPS Users\n      by Database;\n   \xe2\x80\xa2\t 3 forms had authorization types that did not match the authorization type in the\n      list of DCPS Users by Database;\n   \xe2\x80\xa2\t 3 forms were missing the DCPS Security Awareness Computer-Based Training\n      (CBT) completion date;\n   \xe2\x80\xa2\t 1 form was missing the user\xe2\x80\x99s signature;\n   \xe2\x80\xa2\t 1 form was missing the supervisor\xe2\x80\x99s signature;\n   \xe2\x80\xa2\t 9 forms were missing the date of the supervisor\xe2\x80\x99s signature;\n   \xe2\x80\xa2\t 5 forms were missing the security manager\xe2\x80\x99s signature; and\n   \xe2\x80\xa2\t 10 forms were missing the date of the security manager\xe2\x80\x99s signature.\n\nUpon examining a selection of 42 forms for DCPS payroll office users, we identified:\n\n   \xe2\x80\xa2\t 6 forms had a user type that did not match the user type in the list of DCPS Users by\n      Database;\n   \xe2\x80\xa2\t 3 forms had authorization types that did not match the authorization type in the list of\n      DCPS Users by Database;\n   \xe2\x80\xa2\t 1 form was missing the DCPS Security Awareness CBT completion date;\n   \xe2\x80\xa2\t 2 forms were missing the supervisor\xe2\x80\x99s signature;\n   \xe2\x80\xa2\t 12 forms were missing the date of the supervisor\xe2\x80\x99s signature;\n\n\n\n                                             5\n\n\x0c   \xe2\x80\xa2\t 2 forms were missing the security manager\xe2\x80\x99s signature; and\n   \xe2\x80\xa2\t 4 forms were missing the date of the security manager\xe2\x80\x99s signature.\n\nAs a result, the following control objectives that rely on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cControls prevent unauthorized system access to DCPS data.\xe2\x80\x9d\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA General Computer Control (GCC) locations are valid,\naccurate, authorized, complete, [and] timely, support financial reporting requirements\nand provide sufficient audit trails.\xe2\x80\x9d\n\nMonitoring DCPS Error Reports\n\nThe Personnel Interface Invalid Report (PIIR) is a key control for monitoring and\nresolving DCPS interface processing errors. This report contains rejections, suspensions,\nor deletions between existing data in DCPS and data input via interface files.\n\nWe requested a sample of 45 PIIRs generated during the audit period at each payroll\noffice to confirm whether the reports were consistently annotated to indicate processing\nexceptions were resolved.\n\nAt the DFAS Pensacola Payroll Office, 16 of the 45 PIIRs selected from the CP1 and\nZKA databases could not be located. Of the remaining 29 reports inspected, we\nidentified:\n   \xe2\x80\xa2\t 8 reports were missing the technician\xe2\x80\x99s signature on the report;\n   \xe2\x80\xa2\t 8 reports were missing the date of when the report was annotated by the\n      technician (WP 2600.19, \xe2\x80\x9cSummary\xe2\x80\x9d tab, Results, Exception box, cell G39); and\n   \xe2\x80\xa2\t 29 reports were inconsistently annotated with codes outlined in the SOP.\nWe confirmed that the requirement for technicians to annotate every transaction did not\ntake effect until May 27, 2007. Only one report in the random sample was generated\nafter this date (June 18, 2007). We scanned this report and noted that the technician who\nannotated this report did not comply with the new requirement and did not annotate\ntransactions consistently. None of the 29 reports reviewed contained sufficient detail to\nconfirm resolution of all the errors in the reports.\n\nAt the DFAS Denver Payroll Office, we inspected a sample of 45 PIIRs for the OMA and\nZPA pay databases. For 5 of the 45 reports for the OMA database, the payroll office\ntechnician had not annotated each line item describing the correction method. Of the\n45 reports inspected for the ZPA database, 1 report could not be located at the Denver\nPayroll office..\n\nDCPS began processing pay for the Department of Veterans Affairs (VA) payees on\nSeptember 16, 2006, at the Pensacola, Florida Payroll Office. The payroll processing\nresponsibilities were moved to the Indianapolis, Indiana Payroll Office as of May 13,\n2007. Therefore, our examination only covered controls in place for VA payroll\nprocessing at the Pensacola, Florida Payroll Office for the period of August 20, 2006, to\n\n\n                                             6\n\n\x0cMay 12, 2007, and only covered controls in place for the VA payroll processing at\nIndianapolis, Indiana Payroll Office for the period of May 13, 2007, to June 30, 2007.\n\nAt the DFAS Indianapolis Payroll Office, we inspected a sample of 25 PIIRs. The ZPV\nPIIR processing was performed at the Pensacola Payroll Office from August 20, 2006,\nthrough May 12, 2007. The Pensacola Payroll Office was unable to supply PIIR\ndocumentation for August 20, 2006, through January 19, 2007; therefore, testing could\nnot be conducted for this timeframe. Of the 26 PIIRs in the DFAS Indianapolis Payroll\nOffice sample, we observed:\n   \xe2\x80\xa2   1 report could not be provided;\n   \xe2\x80\xa2   15 reports were missing dates;\n   \xe2\x80\xa2   1 report was missing a technician\xe2\x80\x99s signature; and\n   \xe2\x80\xa2   4 reports were not properly annotated.\n\nIn addition, we observed that the PIIR did not contain sufficient detail documenting\nwhether all errors were resolved.\n\nAs a result, the following control objective that relies on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and stored\nat the DFAS and DISA (GCC) locations are valid, accurate, authorized, complete, [and] timely,\nsupport financial reporting requirements and provide sufficient audit trails.\xe2\x80\x9d\n\nVisitor Access\n\nAt the DFAS Denver Payroll Office, visitors with a valid Common Access Card (CAC), law\nenforcement badge, or military identification can enter the DFAS building and are not required\nto sign in and out with security; therefore, access is not limited to authorized payroll office\npersonnel. We observed that data entry terminals were not located in physically secure locations\nwithin locked rooms. The data entry terminals are located in an open space shared by non-\npayroll personnel who may be able to access sensitive payroll information. In addition, we\ninspected a sample of 45 visitor logs. Of the 45 visitor logs inspected, we observed that:\n   \xe2\x80\xa2   14 logs did not have a telephone number recorded; and\n   \xe2\x80\xa2   2 logs did not have an escort\xe2\x80\x99s signature.\n\nAt the DFAS Indianapolis Payroll Office, visitors with a valid CAC, law enforcement badge, or\nmilitary identification can enter the DFAS building and are not required to sign in and out with\nsecurity; therefore, access is not limited to authorized payroll office personnel. We observed that\nterminals that process payroll are located within a physically secure building; however, terminal\nrooms are not locked and data entry terminals are connected to the system 24 hours a day, seven\ndays a week. The terminal rooms are located in shared spaces with other agencies and non-\npayroll office personnel who may be able to access sensitive payroll information. In addition,\nwe observed that visitors to the DFAS Indianapolis Payroll Office must sign in and out with\nauthorized security personnel; however, once the visitor is inside the building there is no\nrequirement to display the visitor badge.\n\n\n\n                                             7\n\n\x0cAs a result, the following control objective that relies on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cControls prevent unauthorized physical access to DCPS data.\xe2\x80\x9d\n\n\nLimit and Reasonableness Checks\n\nAt the Indianapolis Payroll Office, we scanned the Less than $1 Greater than $5,000 Desk Guide\nand confirmed it did not have documented procedures requiring a supervisor to review 10% of\nthe entries in the report, or the requirement to evidence the review with a signature or similar\nnotation.\n\nAs a result, the following control objective that relies on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA (GCC) locations are valid, accurate, authorized, complete,\n[and] timely, support financial reporting requirements and provide sufficient audit\ntrails.\xe2\x80\x9d\n\nGross Pay Change Reasonableness Check\n\nAt the DFAS Charleston Payroll Office, we observed that large payroll increases\noccurred in the pay periods ending March 17, 2007, and May 12, 2007, for the ZPD\npayroll database and the ZFR payroll database respectively. DFAS Charleston stated that\nthese large increases were for annual pay bonuses that were paid in the appropriate pay\nperiod. However, DFAS Charleston was unable to provide us documentation to confirm\nthe reasonableness of the large payroll increases. DFAS does not have a limit or\nreasonableness check to identify variances at the gross payroll level.\n\nAs a result, the following control objective that relies on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA (GCC) locations are valid, accurate, authorized, complete,\n[and] timely, support financial reporting requirements and provide sufficient audit\ntrails.\xe2\x80\x9d\n\nPersonnel/Payroll Reconciliation Reports\n\nAt the DFAS Pensacola Payroll Office, we observed that the Payroll Office does not send\na letter of completion signed by the supervisor to the personnel offices as documented in\nthe Standard Operating Procedure (SOP). We inspected 45 Personnel/Payroll\nReconciliation Reports. Of the 45 Personnel/Payroll Reconciliation Reports inspected,\none report for Thrift Savings Plan (TSP) changes, which is handled by the Support\nServices Branch, could not be located. In addition, we observed that reports sent to the\nSupport Services Branch were not maintained with a cover sheet as required by the SOP\nand that four reports were not completed within 10 working days as required by the SOP.\n\nAt the DFAS Charleston Payroll Office, we observed DFAS Charleston did not receive\nany Personnel/Payroll Reconciliation Reports for three of the four quarters of our audit\nperiod and received only four reports for another quarter. The most recent quarter reports\nwere supplied; however, we were unable to test them as the reconciliation process was\n                                             8\n\n\x0cnot yet complete. We observed, for the reports that were supplied, that the Charleston\nPayroll Office did not create cover sheets for the Personnel/Payroll Reports as required\nby the DFAS entity-wide Personnel/Payroll Reconciliation SOP.\n\nAs a result, the following control objective that relies on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and stored\nat the DFAS and DISA (GCC) locations are valid, accurate, authorized, complete, [and] timely,\nsupport financial reporting requirements and provide sufficient audit trails.\xe2\x80\x9d\n\n\xe2\x80\x9c592\xe2\x80\x9d Reconciliation Reports\n\nThe \xe2\x80\x9c592\xe2\x80\x9d Reconciliation process is performed at the end of every pay period by Civilian Pay\nTechnicians to confirm all balancing spreadsheets have been received and all discrepancies have\nbeen identified and/or corrected in order to release payroll files.\n\nAt the DFAS Pensacola Payroll Office, we inspected 26 592 reconciliation reports for both the\nCP1 and ZKA databases. For the CP1 database, we observed that one of the reports did not have\na Certifying Officer\xe2\x80\x99s signature. For the ZKA database, we observed that 2 of the 2812\nStatements of Withholding forms were not signed and dated, and 3 of the 2812 Statements of\nWithholding forms were not dated.\n\nAt the DFAS Charleston Payroll Office, we inspected 26 592 reconciliation reports for\nthe ZGT payroll database. We observed that one of the reports was corrected by the\npreparer but not reconciled. Another report did not balance even when a supplemental\nwas prepared, and it did not have the 592 preparer\xe2\x80\x99s signature. Three reports were\ncorrected but did not balance and did not have a corresponding supplemental worksheet.\nWhen a correction to the 592 Report is necessary (that is, adjustments), a supplemental\n592 is created to maintain the integrity of the original 592 Report. In addition, there is\ninconsistency in the DFAS Charleston Payroll Center\xe2\x80\x99s procedure for recording\nadjustments to the 592 when the report is initially out of balance or does not include all of\nthe lines of accounting that are required for full reconciliation. We also observed that a\npolicy and/or procedure does not exist that requires the 592 reconciler to identify an\nincrease in total payroll or to document and include the reason for an increase in the 592\nfile when one occurs.\n\nAt the DFAS Indianapolis, Indiana Payroll Office, we inspected 26 592 reconciliation\nreports for the ZPV payroll database. Of the 26 592 reconciliation reports, 5 were\nprocessed by the VA; therefore, only 21 592 reports were tested. Of the 21 592\nreconciliation reports selected, 2 Withholding Reports were not signed. In addition,\npolicies and procedures for reconciling the 592 reports are not consistent.\n\nAs a result, the following control objectives that rely on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cControls provide reasonable assurance that DCPS authorized users are restricted to access\nonly areas needed to complete their assigned responsibilities and controls maintain segregation\nof duties.\xe2\x80\x9d\n\n\n\n\n                                             9\n\n\x0c\xe2\x80\x9cControls provide reasonable assurance that personnel and payroll data processed and\nstored at the DFAS and DISA (GCC) locations are valid, accurate, authorized, complete,\n[and] timely, support financial reporting requirements and provide sufficient audit\ntrails.\xe2\x80\x9d\n\nDCPS Interfaces\n\nAll DCPS interfaces should have a signed Memorandum of Agreement (MOA)\ndocumenting key information, including impacted parties, interconnection requirements,\npoints of contact, security requirements, technical platform information, interface file\ninformation, and designated signatories. However, 4 of 81 DCPS interfaces did not have\na documented MOA in place. In addition; DCPS data traveling within the NIPRNET\n(unclassified DISA network) was not encrypted.\nAs a result, the following control objectives that rely on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cDFAS has classified all DFAS-owned assets according to criticality and sensitivity.\xe2\x80\x9d\n\n\xe2\x80\x9cData management and the disposition and sharing of data requirements are identified\nin the Service Level Agreements.\xe2\x80\x9d\n\nDCPS Password Configurations\n\nAll passwords for DCPS accounts are required to comply with Department of Defense\nInstruction 8500.2 \xe2\x80\x9cInformation Assurance (IA) Implementation\xe2\x80\x9d standards. However,\nDCPS was not configured to enforce the use of complex passwords or to enforce the\nrequirement to change at least four characters of the password.\n\nAs a result, the following control objective that relies on this control may not have been\nachieved during the period of July 1, 2006, through June 30, 2007:\n\n\xe2\x80\x9cPasswords, tokens, or other devices are used to identify and authenticate users.\xe2\x80\x9d\n\nIn our opinion, except for the deficiencies in operating effectiveness noted in the\npreceding paragraphs, the controls that were tested, as described in Section III, were\noperating with sufficient effectiveness to provide reasonable, but not absolute, assurance\nthat the control objectives specified in Section III were achieved during the period of\nJuly 1, 2006, through June 30, 2007.\n\nThe relative effectiveness and significance of specific controls at DFAS and DISA, and\ntheir effect on assessments of control risk at user organizations, are dependent on their\ninteraction with the internal control environment and other factors present at individual\nuser organizations. We have not performed procedures to evaluate the effectiveness of\ninternal controls placed in operation at individual user organizations.\n\nThe description of the controls at DFAS and DISA is effective as of June 30, 2007, and\ninformation about tests of their operating effectiveness covers the period of July 1, 2006,\nthrough June 30, 2007. Any projection of such information to the future is subject to the\nrisk that, because of change, the description may no longer portray the system in\nexistence. The potential effectiveness of specific controls at DFAS and DISA is subject\nto inherent limitations and, accordingly, errors or fraud may occur and not be detected.\n\n\n                                            10\n\n\x0cFurthermore, the projection of any conclusions, based on our findings, to future periods is\nsubject to the risk that: (1) changes made to the system or controls, (2) changes in processing\nrequirements, or (3) changes required because of the passage of time may alter the validity of\nsuch conclusions.\n\nThis report is intended solely for use by DCPS management, its user organizations, and the\nindependent auditors of such user organizations.\n\n\n                               By direction of the Deputy Inspector General for Auditing:\n\n\n                                 p~ Q,                 /YlrMdv\n                             fo(Paul J. Granetto, CPA\n                              Assistant Inspector General\n                           Defense Financial Auditing Service\n\n\n\n\n                                            11\n\n\x0c\x0cSection II: Description of DCPS Operations and Controls \n\n              Provided by DFAS and DISA \n\n\n\n\n\n                           13\n\n\x0c\x0cII. Description of DCPS Operations and Controls Provided by\nDFAS and DISA\n\nA. Overview of DCPS\nPurpose of DCPS\n\nIn 1991, DoD selected DCPS as its standard payroll system. DCPS is used by all DoD\nactivities paying civilian employees, except Local Nationals and those funded by Non-\nappropriated Funds and Civilian Mariners. Before becoming the DoD-wide civilian pay\nsystem, DCPS was the Navy civilian pay system, which had been in operation since\n1988. DFAS began paying the Executive Office of the President (EOP) in 1998. The\n2001 President\xe2\x80\x99s Management Agenda e-Payroll initiative established Federal payroll\nproviders to service the entire executive branch of the Federal Government. DFAS was\nselected as one of those providers. DFAS began processing payroll for the Department of\nEnergy (DOE) in 2003, the Department of Health and Human Services (HHS) in 2005,\nand the Environmental Protection Agency (EPA), Department of Veterans Affairs (VA)\nand the Broadcast Board of Governors (BBG) in 2006. As of June 30, 2006, DCPS\ncurrently processes pay for approximately 798,000 employees.\n\nThe DCPS program mission is to process payroll for DoD civilian employees in\naccordance with existing regulatory, statutory, and financial information requirements\nrelating to civilian pay entitlements and applicable policies and procedures. The DoD\ncivilian pay program must satisfy the complex and extensive functional, technical, and\ninterface requirements associated with the DoD civilian pay function. The functional\nareas include: employee data maintenance; time and attendance; leave; pay processing;\ndeductions; retirement processing; debt collection; special actions; disbursing and\ncollection; reports processing and reconciliation; and record maintenance and retention.\nDCPS provides standard interface support to various accounting, financial management,\nand personnel systems. From a life-cycle perspective, DCPS is in the maintenance phase,\nwith system changes mainly resulting from legislative and functional requirements.\n\nCurrently, DFAS is participating in a Base Realignment and Closure (BRAC)\ntransformation that impacts the DCPS Payroll Offices. Approximately 250 payroll\nprocessing personnel at 3 DFAS Payroll Offices located in Pensacola, Florida;\nCharleston, South Carolina; and Denver, Colorado use DCPS. Approximately 150\nprocessing personnel will use DCPS at the enduring payroll office sites located in\nCleveland, Ohio, and Indianapolis, Indiana. DCPS is also used at NSA. \xe2\x88\x97 Additional\nusers include Customer Service Representatives (CSRs) at customer activities and sites.\nFour of the five DFAS payroll offices process payroll for DoD civilians. The Pensacola\nPayroll Office processes EOP payroll. The Charleston Payroll Office processes DOE,\nHHS, and BBG payroll. The Indianapolis Payroll Office processes VA payroll, and the\nDenver Payroll Office processes EPA payroll. Migration completion of all payroll\nprocessing is targeted for June 2008.\n\n\n\n\n\xe2\x88\x97The NSA payroll office is not included in the scope of this \xe2\x80\x9cDescription of DCPS Operations and\nControls Provided by DFAS and DISA\xe2\x80\x9d.\n\n                                                  15\n\n\x0cDCPS Support Functions\nThe DFAS Standards and Compliance Division (under the direction of the DFAS Director)\nprovides high-level management control and coordination within DoD and for DCPS external\ncustomers. The Civilian Pay Systems Management Directorate (under the direction of the DFAS\nChief Information Officer) has overall daily responsibility for application, operation,\ninterpretation and implementation of DCPS. In addition, those offices are responsible for\ncoordinating with external users and new customers. Civilian Pay Systems Management\nDirectorate is responsible for requirements management, functional analysis, information\nassurance, and user documentation processes.\n\nThe Technology Services Engineering Organization Pensacola (TSOPE) provides DCPS\nsoftware engineering, production support, and customer service. Within TSOPE, several groups\nprovide DCPS support. The Software Engineering Division provides technical design,\nprogramming, unit testing, and system documentation. The Software Test and Evaluation\nDivision performs integration testing and evaluation processes. The Project Support Division\nprovides system software, telecommunication, computer resource tools, and database support.\nDCPS Software Quality Assurance monitors the software engineering process and provides\nrecommendations for improvement. The Systems Support Division provides configuration\nmanagement, release management, implementation status, and customer support. DCPS is\nmaintained and executed on a DISA mainframe platform at DECC SMC Mechanicsburg,\nPennsylvania.\n\nDCPS Systems Architecture\n\nA two-tiered architecture comprises DCPS:\n\n   \xe2\x80\xa2\t mainframe hardware and software components - used as a repository for collecting and\n      accumulating data, and providing centralized, biweekly processing of civilian pay and its\n      attendant functions (for example, electronic funds transfer, generation of leave and\n      earnings statements); and\n   \xe2\x80\xa2\t remote user/print spooler hardware and software - used to collect and/or pre-process data\n      at customer sites, provide connectivity to DCPS mainframe components, and support\n      printing of mainframe-generated outputs (for example, reports, timesheets) at customer\n      locations. The components are largely customer-owned and operated, and include local\n      area networks (LANs), personal computers, and a diverse assortment of printers and\n      software that operates and connects the networks, computers, and printers. DFAS\n      maintains a limited number of mid-tier (minicomputer) systems at selected DFAS sites to\n      handle specialized printing requirements (for example, paychecks). Other offloaded print\n      services, such as bulk printing for DCPS Payroll Offices and printing of Leave and\n      Earnings Statements, are performed on PC/workstation hardware maintained by the\n      Document Automation & Production Service (DAPS) located at various sites in the\n      United States and overseas.\nThe two tiers of the DCPS architecture are connected via DoD-maintained networks composed\nof Internet Protocol (IP)-based systems for example, Non-Classified Internet Protocol Router\nNetwork) and Systems Network Architecture-based (leased line) services. Those networks\nconnect DCPS to a wide variety of external, non-DCPS sites (mainframes, mid-tiers, and PCs)\nthat supply or exchange data with DCPS, mainly through electronic file transfers, on a regular\nbasis. Examples of external interface sites include the Defense Civilian Personnel Data System,\nThrift Savings Plan (TSP), Department of the Treasury, and non-DoD users such as DOE, EPA,\nEOP, HHS, BBG and VA.\n\n\n                                            16\n\n\x0cThe main technical components of DCPS include the following attributes:\n       \xe2\x80\xa2\t DCPS is housed in a separate logical domain on an IBM z9 mainframe\n          computer located at DECC Mechanicsburg;\n\n       \xe2\x80\xa2\t the IBM mainframe operating system software is Z/OS release 1.7;\n\n       \xe2\x80\xa2\t DCPS is written in Common Business Oriented Language II;\n\n       \xe2\x80\xa2\t first point of entry security protection mechanisms are provided by Access\n          Control Facility 2 (ACF2);\n\n       \xe2\x80\xa2\t DECC Mechanicsburg provides four web servers that service all applications\n          that support DCPS. Those servers accept the users\xe2\x80\x99 secure web requests by\n          supplying a menu screen with options for each application to the DCPS\n          LOGON SCREEN, where individuals enter their ACF2 login user\n          identification (ID) and passwords; and\n\n       \xe2\x80\xa2\t third-party software packages are used for DCPS process scheduling and\n          monitoring, tax calculations, and mailing address verification.\n\nThe payroll offices and associated Customer Service Representatives (CSRs) have access\nto DCPS via dedicated leased lines, various DoD networks, and through Secure Web\nAccess. Secure Web Access enables secure transaction processing across the Non-\nClassified Internet Protocol Router Network. IBM\xe2\x80\x99s Host On Demand was used to\nestablish the Secure Web Access infrastructure. DCPS users interact directly with the\nDCPS application through \xe2\x80\x9c3270\xe2\x80\x9d emulation using Personal Computer/Advanced\nTechnology keyboard mapping terminals or terminal simulation programs for\ncommunication with DCPS. This permits application-defined formatted screens to be\ndisplayed with protected static text and unprotected fields for data entry. The payroll\noffices are structured in accordance with DFAS standard staffing policy and conduct\nbusiness using standard operating and support procedures. They operate on a 24-hour\nbasis to provide payroll service to customers located in various time zones and are\nresponsible for the full range of pay processing functions and services. As circumstances\ndictate, the three payroll offices serve as operational back-up sites for each other when\ncontingency procedures are executed by DFAS.\n\nDoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6, 2003,\n(DoD I 8500.2) identifies specific control requirements DoD systems should achieve\nbased on their designated Mission Assurance Category (MAC). The DCPS application\nAuthority to Operate, dated July 29, 2005, is on file with the DFAS Chief Information\nOfficer. According to the current DCPS SSAAs, as of June 30, 2005, the MAC level for\nthe DCPS application is \xe2\x80\x9cMAC III\xe2\x80\x9d and its supporting enclave at DISA DECC\nMechanicsburg is \xe2\x80\x9cMAC II.\xe2\x80\x9d\n\nDCPS Data Flow\n\nThe figure below depicts the flow of data to and from DCPS. DCPS customers and\ntechnicians input data, including master employee and time and attendance logs. DCPS\noutputs data to multiple systems and entities, including financial reporting entities, the\nautomated disbursing system, and data storage.\n\n\n\n                                            17\n\n\x0c                                                                       DCPS Interfaces\n\n\n\n                                   Defense Automated                                            Voluntary Benefit\n                                                                      ePayroll                                                OPM\n                                     Printing Service             Customer Systems\n                                                                                                     Portal\n                                                                                                TLC?FSA?V&D               (RITS, EHRI)\n\n                             Personnel                                                                                                             myPay\n                              Systems                                         National Guard\n                             (DCPDS)                                          Assoc of the US           National Guard\n                                                                                (NGAUS)                Dual Comp Office\n                            (PeopleSoft)\n                                                                                                                                                     Integrated\n                                                                                                                                                    Garnishment\n                           Federal                                                                                                                     System\n                          Reserve                                                                                                                       (IGS)\n                         Bank (FRB)             Nat\xe2\x80\x99l Treas Emp\n                                                Union (NTEU)                                                                      FEHB Clearing-           National\n                                                                                                                                   House Project\n                                                                                                                                                           Finance\n                                                                                                                                                           Center\n                          Automated\n                          Disbursing\n                         System (ADS)\n                                                                                      DCPS                                                               Defense Manpower\n                                                                                                                                                        Data Center (DMDC)\n\n                                                Imaging\n\n\n                    DFAS Denver                                                                                                                             Defense Corporate\n                   Bonds/Dept Acct                                                                                                                          Data base\n\n\n\n\n                       DFAS Indy                                                                                                                             Treasury\n                   Acct edit/Dept Acct                                                                                                                       IRS/SSA\n                                                                                        Army Audit\n\n\n                      DFAS Columbus                                                                                                                       State\n                        Dept Acct                                                                                                                      Tax Entities\n                                                                    Field Level                      T&A SDA (19)\n                                         DFAS Cleveland            Accounting (26)\n                                           Dept Acct                                                                                 Local Tax\n                                                                                                                                      Entities\n\n\n\n\nOverview of System Interfaces\n\nDCPS is a combination of on-line and batch programs that support the requirements of a\nbi-weekly payroll process for civilian employees in the Federal Government based on data feeds\nfrom numerous personnel, accounting, and time and attendance systems. Transactions to update\nemployee data, adjust leave balances and payments, and report time and attendance may be input\ndaily to spread the online workload and to obtain labor data. However, the focal point of the\nsystem is the bi-weekly process. Non bi-weekly process functions occur monthly, quarterly,\nannually, or as required, and are in support of or a result of, multiple bi-weekly pay cycles.\nDCPS supports a standard personnel interface, decentralized time and attendance reporting, and\nthe CSR structure.\n\nDCPS accepts input from three primary areas: CSRs, timekeepers, and personnel offices. DCPS\nreceives or creates approximately 81 interface files that, among other functions:\n\n   \xe2\x80\xa2   update personnel information;\n   \xe2\x80\xa2   upload time and attendance data;\n   \xe2\x80\xa2   download information for checks to be printed;\n   \xe2\x80\xa2   report accounting information to the Department of the Treasury;\n   \xe2\x80\xa2   reconcile enrollment information with health care providers; and\n   \xe2\x80\xa2   download general accounting information to DoD agencies.\n\n\n\n                                                                           18\n\n\x0cAutomatic electronic file transfer directly to and from the host mainframe computer is\npreferred for input and output file interfaces. Output files are automatically transmitted\nto sites and activities using common file transfer protocols, by way of communication\nlines of files written to magnetic tape at the host (using data in File Transfer Tables).\nInterface partners must provide File Transfer Table data to the TSOPE for table updates.\nFor files not automatically transferred, the activity receiving DCPS data is responsible for\naccessing the host computer to retrieve (\xe2\x80\x9cpull\xe2\x80\x9d) the output file(s) from the host. In\naddition, the activity creating payroll data is responsible for developing and sending a\nDCPS input file by secure means to the processing center supporting the payroll office.\nThe payroll activities and the submitting activities establish mutually agreeable schedules\nto ensure timely receipt of data necessary to support DCPS payroll processing. TSOPE is\nresponsible for executing and monitoring interface processing, as well as resolving\ninterface processing errors or problems.\n\nB. Control Environment\nDCPS Management Oversight\n\nThe DFAS Information and Technology Directorate is responsible for reviewing and\napproving DCPS security policy, and the DCPS certification and accreditation plan, and\ngranting DCPS authority to operate. TSOPE provides not only DCPS software\nengineering support, but also production support and customer service. DCPS is\nmaintained and executed on a DISA mainframe platform at DECC Mechanicsburg,\nPennsylvania. DECC Mechanicsburg is part of the Center for Computing Services within\nthe Global Information Grid Combat Support Directorate, which is a Strategic Business\nUnit within DISA. DFAS and DISA have documented DCPS support services provided\nby DISA in a service-level agreement that is reviewed by both agencies on an annual\nbasis. DFAS and DISA have documented policies and procedures describing their\nrespective roles and responsibilities in supporting payroll functions. DFAS and DISA are\nDefense agencies that report to the Office of the Secretary of Defense.\n\nPersonnel Policies and Procedures\n\nDFAS Payroll Offices and TSOPE. Payroll office employees and contractors are\nrequired to review applicable administrative orders, policies, and procedures with the\nHuman Resource Office and must complete appropriate forms to gain access to DFAS\nsystems. New employees must meet with the Information Security (IS) Manager. The IS\nManager is responsible for: (1) providing basic system security awareness training,\n(2) securing civilians\xe2\x80\x99 and contractors\xe2\x80\x99 signatures on an Automated Data Processing\nSecurity Awareness disclosure form, (3) identifying who an employees\xe2\x80\x99 Terminal Area\nSecurity Officer (TASO) is and what the TASO responsibilities are, and (4) notifying\nappropriate personnel when personnel actions occur. Those actions include providing\naccess to or immediately terminating employee or contractor access to DFAS automated\ninformation system resources. The payroll offices and TSOPE facilities require a\nbackground check before a candidate can become an employee.\n\nDECC Mechanicsburg. The security manager is responsible for processing new employees and\ncontractors who are given access to DECC Mechanicsburg facilities. All contractors and\nemployees are required, at a minimum, to have a secret clearance and a positive National Agency\nCheck. For employees, the security manager coordinates with the personnel office and for\ncontractors, the security manager coordinates with the contracting officer. For contractors, the\nsecurity manager is responsible for confirming that all contractors are assigned to a valid\ncontract, and have been approved to work at DECC Mechanicsburg.\n                                            19\n\n\x0cAll new employees are required to sign DISA Form 312, \xe2\x80\x9cClassified Information Nondisclosure\nAgreement,\xe2\x80\x9d which serves as a nondisclosure agreement for sensitive and classified information.\nWhen employees are terminated, DISA requires them to sign the same Form 312 to confirm their\nunderstanding of the requirements with which they must comply. New employees and\ncontractors are required to complete a DD Form 2875, \xe2\x80\x9cSystem Authorization Access Request\xe2\x80\x9d\nto gain access to DISA systems. The security manager is responsible for processing those forms\nand confirming that the person requesting access has the proper clearance for the level of access\nrequested. For contractors, the security manager confirms the length of the contract and\ndetermines when system accounts should expire. All new employees and contractors must\ncomplete security awareness training.\n\nC. Monitoring\nManagement and supervisory personnel at DFAS and DISA monitor the performance quality and\ninternal control environment as a normal part of their activities. DFAS and DISA have\nimplemented a number of management, financial, and operational reports that help monitor the\nperformance of payroll processing, as well as the DCPS system. These reports are reviewed\nperiodically and action is taken as necessary. All procedural problems and exceptions to normal\nand scheduled processing are logged, reported, and resolved in a timely manner, with remedial\naction taken as necessary. In addition, several organizations within DoD perform monitoring\nactivities associated with DCPS-related internal controls.\n\nDISA Office of Inspector General. The DISA Office of the Inspector General (OIG) is an\nindependent office within DISA that conducts internal audits, inspections, and investigations.\nDISA-related Components that support DCPS are part of the DISA OIG audit universe and are\nsubject to audits, inspections, and investigations conducted by this office.\n\nField Security Operations. The Field Security Operations (FSO) unit conducts periodic System\nReadiness Reviews of DISA systems to determine whether those systems comply with\ndocumented Standard Technical Implementation Guides (STIGs). The DCPS system\ncomponents maintained by DISA are subject to FSO reviews. The FSO is independent of the\nDECC SMC Mechanicsburg management and does not maintain or configure DCPS.\n\nDoD OIG. Congress established the DoD OIG under the Inspector General Act of 1978\nto conduct and supervise audits and investigations related to DoD programs and\noperations. The DoD OIG reports directly to the Secretary of Defense and is independent\nof DFAS and DISA. DCPS is part of the DoD OIG audit universe and is subject to\nfinancial, operational, and information technology audits, reviews, and special\nassessment projects.\n\nCertification and Accreditation. DoD Instruction 5200.40, \xe2\x80\x9cDepartment of Defense\nInformation Technology Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d\nDecember 30, 1997, established a standard Department-wide process, set of activities,\ngeneral tasks, and management structure to certify and accredit information systems that\nwill maintain the information assurance and security posture of the Defense Department\ninformation infrastructure throughout the life cycle of each system. The certification\nprocess is a comprehensive evaluation of the technical and non-technical security features\nof an information system and other safeguards to establish the extent to which a particular\ndesign and implementation meet[s] specified security requirements and covers physical,\npersonnel, administrative, information, information systems, and communications\nsecurity. The accreditation process is a formal declaration by the designated approving\nauthority that an information system is approved to operate in a particular security mode\nusing a prescribed set of safeguards at an acceptable level of risk.\n                                            20\n\n\x0cDCPS is subject to the requirements of DITSCAP and must meet all DITSCAP\ncertification and accreditation requirements throughout its lifecycle. As part of the DCPS\nDITSCAP process, DFAS and DISA have developed separate SSAAs for the DCPS\napplication and for the system enclave within DISA that supports the application. Each\nSSAA is a living document that represents an agreement between the designated\napproving authority, certifying authority, user representative, and program manager.\nAmong other items, the DCPS SSAA documents DCPS\xe2\x80\x99 mission description and system\nidentification, environment description, system architecture description, system class,\nsystem security requirements, organizations and resources, and DITSCAP plan. On a\nperiodic basis, the system security officer must verify and validate DCPS\xe2\x80\x99 compliance\nwith the information in the SSAA by conducting vulnerability evaluations, security\ntesting and evaluation, penetration testing, and risk management reviews. The DCPS\napplication SSAA was issued on June 30, 2005, and is valid for 3 years. The DECC\nSMC Mechanicsburg enclave SSAA was issued on February 27, 2006, and is valid for\n3 years. The DCPS application Authority to Operate (ATO), dated 29 July 2005, is on\nfile with the GS4B3 Information Assurance Manager. The DCPS ATO will be included\nin the annual SMC Mechanicsburg Unclassified Enclave SSAA package update that is\nsubmitted to the DISA Designated Approval Authority (DAA).\n\nD. Risk Assessment\nThe DITSCAP process, discussed in subsection C above, includes several activities that\nenable DFAS and DISA to assess risks associated with DCPS. The DCPS application\nand enclave SSAAs document threats to DCPS and its supporting technical environment.\nThe SSAAs also contain residual risk assessments that document vulnerabilities noted\nduring DCPS tests and analyses. The information contained in the SSAAs is updated on\na periodic basis. Personnel from DFAS TSOPE and DECC SMC Mechanicsburg\nparticipate in risk assessment activities.\n\nE. Information and Communication\nDCPS is the information system used to process civilian payroll for DoD and payroll\ncustomers from other Federal entities including the DOE, EPA, EOP, HHS, BBG and\nVA. Payroll processing involves approximately 81 data files that interface with DCPS.\nThose interfaces are linked to other DoD financial systems, as well as external systems.\nThe majority of the interfaces is automated and must conform to documented interface\nspecifications developed by the TSOPE.\n\nThe TSOPE is responsible for executing and monitoring all DCPS automated interfaces.\n\nThe support relationship between DFAS and DECC SMC Mechanicsburg is documented through\na service level agreement that includes various DFAS and DECC SMC Mechanicsburg points of\ncontact and liaisons that should be used when DCPS issues arise. DECC SMC Mechanicsburg\nhas assigned a customer relationship manager to work with TSOPE to resolve any DCPS\nprocessing problems or concerns.\n\nDirectors and managers from TSOPE and the SMC meet weekly to discuss DCPS processing\nissues. The Configuration Control Board, composed of customer agencies, SMC, TSOPE and\npayroll office personnel, review and approve functional and systemic changes to DCPS. The\npayroll offices have help desk functions to identify and track DCPS user issues and problems and\nto communicate those issues and problems to SMC for resolution.\n\n\n                                           21\n\n\x0cF. Control Activities\nThe DCPS control objectives and related control activities are included in Section III of this\nreport, \xe2\x80\x9cControl Objectives, Control Activities, and Tests of Operating Effectiveness,\xe2\x80\x9d to\neliminate the redundancy that would result from listing them in this section and repeating them\nin Section III. Although the control objectives and related controls are included in Section III,\nthey are, nevertheless, an integral part of the description of controls.\n\nG. User Organization Control Considerations\nDFAS and DISA control activities related to DCPS were designed with the assumption that\ncertain controls would be placed in operation at user organizations. This section describes some\nof the controls that should be in operation at user organizations to complement the controls at\nDFAS and DISA.\n\nUser organizations should have policies and procedures in place to ensure that:\n\n   \xe2\x80\xa2\t the servicing payroll office is notified of all terminated employees with access to DCPS;\n\n   \xe2\x80\xa2\t the local human resource office is notified of all terminated employees to ensure that\n      those employees are removed from the master employee record in a timely manner;\n\n   \xe2\x80\xa2\t all time entered by timekeepers is approved and authorized by appropriate user \n\n      organization management; \n\n\n   \xe2\x80\xa2\t all master employee records created represent valid employees;\n\n   \xe2\x80\xa2\t all changes to the master employee record are approved by appropriate user organization\n      personnel prior to payroll processing;\n\n   \xe2\x80\xa2\t segregation of duties exists between those at the user organization who enter time and\n      those who enter or change Master Employee Records;\n\n   \xe2\x80\xa2\t if an alternative to the real Social Security Number (SSN) (\xe2\x80\x9cpseudo SSN\xe2\x80\x9d) is created, the\n      created number has been authorized by appropriate user organization personnel and, if\n      necessary, is accurately tied to a primary and valid SSN;\n\n   \xe2\x80\xa2\t user organization managers review the \xe2\x80\x9cControl of Hours\xe2\x80\x9d and other payroll-related\n      reports for appropriateness and accuracy;\n\n   \xe2\x80\xa2\t all invalid time entry interface feeds are reviewed and processed by appropriate user\n      organization personnel in a controlled manner; and\n\n   \xe2\x80\xa2\t all invalid personnel record interface feeds are resolved in the interface system by user\n      organization personnel with appropriate approval by user organization management.\n\n\n\n\n                                            22\n\n\x0cSection III: Control Objectives, Control Activities, and Tests \n\n                 of Operating Effectiveness \n\n\n\n\n\n                              23\n\n\x0c\x0cIII. Control Objectives, Control Activities, and Tests of\n     Operating Effectiveness\n\nA. Scope Limitations\nThe control objectives documented in this section were specified by the DoD OIG. As\ndescribed in the prior section (Section II), DCPS interfaces with many systems. The\ncontrols described and tested within this section of the report are limited to those\ncomputer systems, operations, and processes directly related to DCPS itself. We did not\nperform any procedures to evaluate the integrity and accuracy of the data contained in\nDCPS. The controls related to the source and destination systems associated with the\nDCPS interfaces are specifically excluded from this review. In addition, we did not\nperform procedures to evaluate the effectiveness of input, processing, and output controls\nwithin those interface systems. However, we did perform procedures to evaluate DCPS\ncontrols concerning interface input and output.\n\n\n\n\n                                           25\n\n\x0cB. Control Objectives, Control Activities, and Tests of Operating Effectiveness\n\nApplication Control Objectives, Control Activities, Tests Performed, and Results of Testing\n\n\n    No.        Control Objective                   Control Activities                       Tests Performed                    Results of Testing\n\n\n1         Controls prevent unauthorized   1.1 - Policies and procedures are       Inquired with appropriate personnel      DFAS-Pensacola\n          physical access to DCPS data.   documented to describe that personnel   and read policies and procedures to\n                                                                                                                           No relevant exception\n                                          payroll records and other sensitive     confirm that personnel payroll records\n                                                                                                                           noted.\n                                          information are maintained and          and other sensitive information is\n                                          disposed of in accordance with          maintained and disposed of in            DFAS-Charleston\n                                          Government-wide and agency-specific     accordance with Government-wide\n                                                                                                                           No relevant exception\n                                          guidelines.                             and agency-specific guidelines.\n                                                                                                                           noted.\n                                                                                                                           DFAS-Denver\n                                                                                                                           No relevant exception\n                                                                                                                           noted.\n                                                                                                                           DFAS-Indianapolis\n                                                                                                                           No relevant exception\n                                                                                                                           noted.\n                                          1.2 - All documents and storage media   Inquired with appropriate personnel      DFAS Pensacola\n                                          are stored in physically and            and observed storage processes to\n                                                                                                                           We noted during an\n                                          environmentally secure containers.      confirm documents and storage media\n                                                                                                                           observation of the\n                                                                                  are stored properly in environmentally\n                                                                                                                           document storage\n                                                                                  secure containers.\n                                                                                                                           warehouse, that one of the\n                                                                                                                           cipher-locked doors was\n                                                                                                                           propped open.\n                                                                                                                           We noted electronic\n                                                                                                                           records, such as CDs, are\n                                                                                                                           stored in the locked\n                                                                                                                           Pensacola Payroll Office;\n\n\n\n                                                                        26\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       however, are not required\n                                                                       to be locked in a cabinet.\n                                                                       DFAS Management\n                                                                       indicated that the testing\n                                                                       exceptions reflected office\n                                                                       closure preparations as a\n                                                                       result of BRAC and were\n                                                                       not significant enough to\n                                                                       qualify the control\n                                                                       objective as these storage\n                                                                       areas are located within the\n                                                                       secure Payroll Office\n                                                                       locations.\n                                                                       DFAS-Charleston\n                                                                       We noted during an\n                                                                       observation of the\n                                                                       document storage\n                                                                       warehouse that access to\n                                                                       the document storage\n                                                                       warehouse was through\n                                                                       swinging doors, which\n                                                                       permit unauthorized\n                                                                       physical access to\n                                                                       personnel payroll records.\n                                                                       The document storage\n                                                                       warehouse is shared by\n                                                                       business lines other than\n                                                                       the payroll office.\n                                                                       We noted electronic\n                                                                       records such as tapes,\n                                                                       microfilm, and CDs have\n                                                                       not been used for 4 years\n\n\n                                               27\n\n\x0cNo.   Control Objective             Control Activities                          Tests Performed                     Results of Testing\n\n\n                                                                                                                and are stored in an\n                                                                                                                unlocked room in the\n                                                                                                                Charleston Payroll Office,\n                                                                                                                which is accessible to all\n                                                                                                                Civilian Payroll\n                                                                                                                employees.\n                                                                                                                DFAS Management\n                                                                                                                indicated the testing\n                                                                                                                exceptions reflected office\n                                                                                                                closure preparations as a\n                                                                                                                result of BRAC and were\n                                                                                                                not significant enough to\n                                                                                                                qualify the control\n                                                                                                                objective as these storage\n                                                                                                                areas are located within the\n                                                                                                                secure Payroll Office\n                                                                                                                locations.\n                                                                                                                DFAS-Denver\n                                                                                                                No relevant exception\n                                                                                                                noted.\n                                                                                                                DFAS-Indianapolis\n                                                                                                                No relevant exception\n                                                                                                                noted.\n\n\n                          1.3 - All visitors to the Payroll Office   Inquired with appropriate personnel,       DFAS-Pensacola\n                          must sign in and out with the              obtained and inspected a sample of\n                                                                                                                No relevant exception\n                          authorized security personnel.             45 visitor logs to the payroll office to\n                                                                                                                noted.\n                                                                     confirm visitors must sign in with\n                                                                     authorized security personnel.             DFAS-Charleston\n                                                                                                                No relevant exception\n                                                                                                                noted.\n\n                                                           28\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       DFAS-Denver\n                                                                       Visitors with a valid\n                                                                       Common Access Card\n                                                                       (CAC), law enforcement\n                                                                       badge, or military\n                                                                       identification can enter the\n                                                                       DFAS building and are not\n                                                                       required to sign in and out\n                                                                       with security; therefore,\n                                                                       access to the payroll office\n                                                                       is not limited to authorized\n                                                                       personnel.\n                                                                       Of the 45 visitor logs\n                                                                       inspected:\n                                                                       \xe2\x80\xa2   14 out of 45\n                                                                           Visitor/Employee\n                                                                           Register Logs did not\n                                                                           have a telephone\n                                                                           number recorded.\n                                                                       \xe2\x80\xa2   2 out of 45\n                                                                           Visitor/Employee\n                                                                           Register Logs did not\n                                                                           have an escort\xe2\x80\x99s\n                                                                           signature.\n                                                                       DFAS-Indianapolis\n                                                                       We confirmed visitors to\n                                                                       the DFAS Indianapolis\n                                                                       Payroll Office must sign in\n                                                                       and out with authorized\n                                                                       security personnel;\n                                                                       however, once the visitor\n\n\n                                               29\n\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                 Results of Testing\n\n\n                                                                                                          is inside the building there\n                                                                                                          is no requirement to\n                                                                                                          display the visitor\xe2\x80\x99s badge.\n                                                                                                          Additionally, visitors with\n                                                                                                          a valid Common Access\n                                                                                                          Card (CAC), law\n                                                                                                          enforcement badge, or\n                                                                                                          military identification can\n                                                                                                          enter the DFAS building\n                                                                                                          and are not required to\n                                                                                                          sign in and out with\n                                                                                                          security; therefore, access\n                                                                                                          to the payroll office is not\n                                                                                                          limited to authorized\n                                                                                                          personnel.\n\n\n                          1.4 - All terminals and payroll records   Inquired with appropriate personnel   DFAS-Pensacola\n                          are located in physically secured         and observed the terminal rooms to\n                                                                                                          No relevant exception\n                          locations.                                confirm they are physically secure.\n                                                                                                          noted.\n                                                                                                          DFAS-Charleston\n                                                                                                          No relevant exception\n                                                                                                          noted.\n                                                                                                          DFAS-Denver\n                                                                                                          We noted data entry\n                                                                                                          terminals were not located\n                                                                                                          in physically secure\n                                                                                                          locations within locked\n                                                                                                          rooms. The data entry\n                                                                                                          terminals are located in an\n                                                                                                          open space shared by non-\n                                                                                                          payroll personnel who may\n\n                                                          30\n\n\x0cNo.   Control Objective            Control Activities                      Tests Performed                 Results of Testing\n\n\n                                                                                                       still be able to access\n                                                                                                       sensitive payroll\n                                                                                                       information.\n                                                                                                       DFAS-Indianapolis\n                                                                                                       Based on the procedures\n                                                                                                       performed, the terminals\n                                                                                                       are located within a\n                                                                                                       physically secure building;\n                                                                                                       however, terminal rooms\n                                                                                                       are not located in\n                                                                                                       physically secured\n                                                                                                       locations within locked\n                                                                                                       rooms, and data entry\n                                                                                                       terminals are connected to\n                                                                                                       the system 24 hours a day,\n                                                                                                       7 days a week. The\n                                                                                                       terminals are located in\n                                                                                                       shared spaces with other\n                                                                                                       agencies and non-payroll\n                                                                                                       office personnel,\n                                                                                                       increasing the risk of\n                                                                                                       unauthorized access to\n                                                                                                       sensitive payroll\n                                                                                                       information.\n\n                          1.5 - Users dispose of personnel and   Inquired with appropriate personnel   DFAS-Pensacola\n                          payroll records in accordance with     and observed destruction bins to\n                                                                                                       No relevant exception\n                          Government-wide and agency-specific    confirm that payroll records are\n                                                                                                       noted.\n                          guidelines.                            disposed of in accordance with\n                                                                 Government-wide and agency-           DFAS-Charleston\n                                                                 specific guidelines.\n                                                                                                       No relevant exception\n                                                                                                       noted.\n\n\n\n                                                        31\n\n\x0cNo.   Control Objective             Control Activities                       Tests Performed                   Results of Testing\n\n\n                                                                                                            DFAS-Denver\n                                                                                                            No relevant exception\n                                                                                                            noted.\n                                                                                                            DFAS-Indianapolis\n                                                                                                            No relevant exception\n                                                                                                            noted.\n                          1.6 - Each terminal automatically        Inquired with appropriate personnel      DFAS-Pensacola\n                          disconnects from the system when not     and observed system inactivity to\n                                                                                                            No relevant exception\n                          used after a specified period of time.   confirm that each terminal\n                                                                                                            noted.\n                                                                   automatically disconnects from the\n                                                                   system when not used after a specified   DFAS-Charleston\n                                                                   period of time.\n                                                                                                            No relevant exception\n                                                                                                            noted.\n                                                                                                            DFAS-Denver\n                                                                                                            No relevant exception\n                                                                                                            noted.\n                                                                                                            DFAS-Indianapolis\n                                                                                                            No relevant exception\n                                                                                                            noted.\n                          1.7 - When terminals are not in use,     Inquired with appropriate personnel      DFAS-Pensacola\n                          terminal rooms are locked, or the        and observed facility to confirm that\n                                                                                                            No relevant exception\n                          terminals are capable of being           when terminals are not in use,\n                                                                                                            noted.\n                          secured.                                 terminal rooms are locked, or the\n                                                                   terminals are capable of being           DFAS-Charleston\n                                                                   secured.\n                                                                                                            No relevant exception\n                                                                                                            noted.\n\n\n\n\n                                                          32\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       DFAS-Denver\n                                                                       We noted data entry\n                                                                       terminals were not located\n                                                                       in physically secure\n                                                                       locations within locked\n                                                                       rooms. The data entry\n                                                                       terminals are located in an\n                                                                       open space shared by non-\n                                                                       payroll personnel who may\n                                                                       be able to access sensitive\n                                                                       payroll information.\n                                                                       DFAS-Indianapolis\n                                                                       Based on the procedures\n                                                                       performed, the terminals\n                                                                       are located within a\n                                                                       physically secure building;\n                                                                       however, terminal rooms\n                                                                       are not located in\n                                                                       physically secured\n                                                                       locations within locked\n                                                                       rooms and data entry\n                                                                       terminals are connected to\n                                                                       the system 24 hours a day,\n                                                                       7 days a week. The\n                                                                       terminals are located in\n                                                                       shared spaces with other\n                                                                       agencies and non-payroll\n                                                                       office personnel increasing\n                                                                       the risk of unauthorized\n                                                                       access to sensitive payroll\n                                                                       information.\n\n\n\n\n                                               33\n\n\x0c    No.        Control Objective                    Control Activities                        Tests Performed                    Results of Testing\n\n\n2         Controls prevent unauthorized   2.1 \xe2\x80\x93 The ability to view, modify, or     Inquired with appropriate personnel      All Payroll Offices\n          system access to DCPS data.     transfer information contained in the     and inspected a sample of 45 System\n                                                                                                                             Of the 45 SAARs selected\n                                          payroll master files is restricted to     Access Authorization Request forms\n                                                                                                                             for testing, three\n                                          authorized personnel.                     (i.e., SAAR) to confirm the following:\n                                                                                                                             employees were no longer\n                                          Each operator is required to have a       \xe2\x80\xa2 The payroll master file and output     DCPS users and were not\n                                          completed and authorized                  is restricted to authorized personnel;   active in the system;\n                                          authorization form before being                                                    therefore, forms could not\n                                                                                    \xe2\x80\xa2 Each operator is authorized before\n                                          granted access to the system.                                                      be provided for these\n                                                                                    being granted access to the system;\n                                                                                                                             users.\n                                          Authorization profiles over users limit   and\n                                          what transactions data entry personnel                                             Of the 42 non-payroll\n                                                                                    Confirmed user profiles limit the type\n                                          can enter.                                                                         SAAR forms inspected,\n                                                                                    of transactions data entry personnel\n                                                                                                                             noted the following:\n                                                                                    can enter into DCPS.\n                                                                                                                             \xe2\x80\xa2   1 of 42 forms\n                                                                                                                                 indicated a user type\n                                                                                                                                 which did not match\n                                                                                                                                 the user type in the list\n                                                                                                                                 of DCPS users by\n                                                                                                                                 database;\n                                                                                                                             \xe2\x80\xa2   3 of 42 forms\n                                                                                                                                 indicated\n                                                                                                                                 authorization types\n                                                                                                                                 which did not match\n                                                                                                                                 the authorization type\n                                                                                                                                 in the list of DCPS\n                                                                                                                                 users by database;\n                                                                                                                             \xe2\x80\xa2   3 of 42 forms were\n                                                                                                                                 missing the DCPS\n                                                                                                                                 Security Awareness\n                                                                                                                                 (WBT) completion\n                                                                                                                                 date;\n\n\n\n\n                                                                          34\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       \xe2\x80\xa2   1 of 42 forms was\n                                                                           missing the user\xe2\x80\x99s\n                                                                           signature;\n                                                                       \xe2\x80\xa2   1 of 42 forms was\n                                                                           missing the\n                                                                           supervisor\xe2\x80\x99s signature;\n                                                                       \xe2\x80\xa2   9 of 42 forms were\n                                                                           missing the date of the\n                                                                           supervisor\xe2\x80\x99s signature;\n                                                                       \xe2\x80\xa2   5 of 42 forms were\n                                                                           missing the security\n                                                                           manager\xe2\x80\x99s signature;\n                                                                           and\n                                                                       \xe2\x80\xa2   10 of 42 forms were\n                                                                           missing the date of the\n                                                                           security manager\xe2\x80\x99s\n                                                                           signature.\n                                                                       Of the 42 payroll SAAR\n                                                                       forms inspected, noted the\n                                                                       following:\n                                                                       \xe2\x80\xa2   6 of 42 forms\n                                                                           indicated a user type\n                                                                           which did not match\n                                                                           the user type in the list\n                                                                           of DCPS users by\n                                                                           database;\n                                                                       \xe2\x80\xa2   3 of 42 forms\n                                                                           indicated\n                                                                           authorization types\n                                                                           which did not match\n                                                                           the authorization type\n\n\n                                               35\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                           in the list of DCPS\n                                                                           users by database;\n                                                                       \xe2\x80\xa2   One of 42 forms were\n                                                                           1 the DCPS Security\n                                                                           Awareness (WBT)\n                                                                           completion date;\n                                                                       \xe2\x80\xa2   2 of 42 forms were\n                                                                           missing the\n                                                                           supervisor\xe2\x80\x99s signature;\n                                                                       \xe2\x80\xa2   12 of 42 forms were\n                                                                           missing the date of the\n                                                                           supervisor\xe2\x80\x99s signature;\n                                                                       \xe2\x80\xa2   2 of 42 forms were\n                                                                           missing the security\n                                                                           manager\xe2\x80\x99s signature;\n                                                                           and\n                                                                       \xe2\x80\xa2   4 of 42 forms were\n                                                                           missing the date of the\n                                                                           security manager\xe2\x80\x99s\n                                                                           signature.\n                                                                       Furthermore, we noted that\n                                                                       for payroll office user\n                                                                       testing, the forms that had\n                                                                       user types which did not\n                                                                       match the list of DCPS\n                                                                       users by database are\n                                                                       actually for non-payroll\n                                                                       personnel who have\n                                                                       payroll office access\n                                                                       (based on the site activity\n                                                                       code). The forms provided\n                                                                       indicate that five of the six\n\n                                               36\n\n\x0cNo.   Control Objective             Control Activities                         Tests Performed                     Results of Testing\n\n\n                                                                                                               individuals are human\n                                                                                                               resources personnel (P)\n                                                                                                               with view (V) access; the\n                                                                                                               sixth individual is\n                                                                                                               accounting personnel (V)\n                                                                                                               with accounting technician\n                                                                                                               (J) access.\n                                                                                                               However, the six\n                                                                                                               individuals were included\n                                                                                                               in the list of DCPS Users\n                                                                                                               by Database as N, V\n                                                                                                               combinations; meaning\n                                                                                                               that rather than inputting\n                                                                                                               the user type/indicator\n                                                                                                               code into DCPS as it\n                                                                                                               appeared on the DISA\n                                                                                                               195-1 form, technicians\n                                                                                                               entered these users with\n                                                                                                               \xe2\x80\x9cN\xe2\x80\x9d user type/indicator\n                                                                                                               codes with \xe2\x80\x9cV\xe2\x80\x9d\n                                                                                                               authorization types; an\n                                                                                                               authorization type which is\n                                                                                                               correct for five of the six\n                                                                                                               users.\n\n                          2.2 \xe2\x80\x93 Policies and procedures are          Inquired with appropriate personnel       DFAS-Pensacola\n                          documented to describe that                and read policies and procedures to\n                                                                                                               No relevant exception\n                          application users are appropriately        confirm that users are appropriately\n                                                                                                               noted.\n                          identified and authenticated. Access to    identified and authenticated and that\n                          the application and output is restricted   access to the application and output is   DFAS-Charleston\n                          to authorized users for authorized         restricted to authorized users for\n                                                                                                               We identified a limitation\n                          purposes.                                  authorized purposes.\n                                                                                                               within the DCPS system\n                                                                                                               that prevents payroll\n                                                                                                               technicians from adhering\n\n                                                          37\n\n\x0cNo.   Control Objective           Control Activities                   Tests Performed                   Results of Testing\n\n\n                                                                                                     to the guidance in the\n                                                                                                     DCPS Security Guidelines\n                                                                                                     Manual. We noted\n                                                                                                     technicians input a code\n                                                                                                     into DCPS that did not\n                                                                                                     correspond with the codes\n                                                                                                     indicated on the SAAR\n                                                                                                     (see related results of\n                                                                                                     testing in control activity\n                                                                                                     2.1).\n                                                                                                     DFAS management\n                                                                                                     indicated the testing\n                                                                                                     exception was caused by\n                                                                                                     an administrative error and\n                                                                                                     the exception was not\n                                                                                                     significant enough to\n                                                                                                     prevent the control activity\n                                                                                                     from meeting its related\n                                                                                                     control objective.\n                                                                                                     DFAS-Denver\n                                                                                                     No relevant exception\n                                                                                                     noted.\n                                                                                                     DFAS-Indianapolis\n                                                                                                     No relevant exception\n                                                                                                     noted.\n\n                          2.3 \xe2\x80\x93 On-line access logs are      Inquired with appropriate personnel     This control activity is\n                          maintained by the System           and inspected access logs and e-mails   tested by GCC Control\n                          Management Office (SMO), and the   for unauthorized access attempts to     Activity 7.2. No relevant\n                          logs are reviewed regularly for    confirm that logs are maintained by     exception noted.\n                          unauthorized access attempts.\n\n\n\n                                                       38\n\n\x0cNo.   Control Objective            Control Activities                      Tests Performed                  Results of Testing\n\n\n                                                                                                        DFAS-Pensacola\n                                                                  the SMO, and the logs are reviewed\n                                                                  regularly for unauthorized access     We noted that violations\n                                                                  attempts.                             may have occurred during\n                                                                                                        the audit period in which\n                                                                                                        user(s) were attempting to\n                                                                                                        access accounts for which\n                                                                                                        they were not authorized.\n                                                                                                        Adequate documentation\n                                                                                                        was not available at the\n                                                                                                        payroll office to allow us\n                                                                                                        to investigate this issue\n                                                                                                        further.\n                                                                                                        DFAS management\n                                                                                                        indicated the testing\n                                                                                                        exception was caused by\n                                                                                                        an administrative error and\n                                                                                                        the exception was not\n                                                                                                        significant enough to\n                                                                                                        prevent the control activity\n                                                                                                        from meeting its related\n                                                                                                        control objective.\n\n                          2.4 \xe2\x80\x93 Remote terminal connections are   Inquired with appropriate personnel   DFAS-Pensacola\n                          secured and are connected via           and observed Telework Packages to\n                                                                                                        7 out of the 11 telework\n                          government issued computers.            confirm remote terminal connections\n                                                                                                        packages tested were\n                                                                  are secured and are connected via\n                                                                                                        incomplete, specifically:\n                                                                  government computers. Specifically,\n                                                                  inspected the telework packages for   \xe2\x80\xa2   7 of 11 packages were\n                                                                  each employee to confirm all              missing a Telework\n                                                                  employees completed the following         Application; leaving\n                                                                  documentation, and each document          only 4 Telework\n                                                                  contained the required signatures:        Applications for\n                                                                                                            testing;\n\n\n                                                        39\n\n\x0cNo.   Control Objective   Control Activities                  Tests Performed                  Results of Testing\n\n\n                                                                                           \xe2\x80\xa2   3 of 11 packages were\n                                                     1. VPN Request Form;\n                                                                                               missing a DFAS 1402\n                                                     2. TSO MOA;\n                                                                                               (Safety Checklist);\n                                                     3. Telework Application;\n                                                                                               leaving only 8 DFAS\n                                                     4. DFAS 1402, Safety Checklist; and\n                                                                                               1402s for testing; and\n                                                     5. DFAS 1400, DFAS MOA.\n                                                                                           \xe2\x80\xa2   4 of 11 packages were\n                                                                                               missing a DFAS 1400\n                                                                                               (Telecommuting\n                                                                                               Agreement); leaving\n                                                                                               only 7 DFAS 1400s\n                                                                                               for testing.\n                                                                                           All 11 packages contained\n                                                                                           a VPN User Access\n                                                                                           Request Form and a TSO\n                                                                                           MOA. No exceptions\n                                                                                           were noted with VPN\n                                                                                           request forms; all11 VPN\n                                                                                           request forms contained\n                                                                                           employee signatures.\n                                                                                           The following exceptions\n                                                                                           were noted with TSO\n                                                                                           MOA testing:\n                                                                                           \xe2\x80\xa2   5 of 11 TSO MOAs\n                                                                                               were missing\n                                                                                               employee signature\n                                                                                               dates; and\n                                                                                           \xe2\x80\xa2   3 of 11 TSO MOAs\n                                                                                               were missing\n                                                                                               supervisor signature\n                                                                                               dates.\n\n\n\n\n                                               40\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n\n                                                                       The following exceptions\n                                                                       were noted with DFAS\n                                                                       1402 testing:\n                                                                       \xe2\x80\xa2 2 of 8 were missing\n                                                                           employee signatures\n                                                                           and dates; and\n                                                                       \xe2\x80\xa2 1 of 8 was missing\n                                                                           employee signature\n                                                                           date only.\n                                                                       The following exceptions\n                                                                       were noted with DFAS\n                                                                       1400 testing:\n                                                                       \xe2\x80\xa2 4 of 7 were missing\n                                                                           employee signatures;\n                                                                       \xe2\x80\xa2 5 of 7 were missing\n                                                                           employee signature\n                                                                           dates; and\n                                                                       \xe2\x80\xa2 3 of 7 were missing\n                                                                           supervisor signatures\n                                                                           and dates.\n\n                                                                       DFAS management\n                                                                       indicated the testing\n                                                                       exception was caused by\n                                                                       an administrative error and\n                                                                       the exception was not\n                                                                       significant enough to\n                                                                       prevent the control activity\n                                                                       from meeting its related\n                                                                       control objective.\n\n\n\n                                               41\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       DFAS-Charleston\n                                                                       We confirmed that nine of\n                                                                       nine teleworking\n                                                                       employees were using\n                                                                       Government-issued\n                                                                       computers and connecting\n                                                                       to DCPS through a VPN.\n                                                                       However, we noted the\n                                                                       following exceptions while\n                                                                       testing the Telework\n                                                                       packages:\n                                                                       \xe2\x80\xa2   1 of 9 Property Passes\n                                                                           was missing the\n                                                                           property custodian\xe2\x80\x99s\n                                                                           signature and\n                                                                           employee\xe2\x80\x99s signature\n                                                                           and date;\n                                                                       \xe2\x80\xa2   2 of 9 DFAS 1402\n                                                                           forms were missing\n                                                                           the employee\n                                                                           signatures and dates;\n                                                                           and\n                                                                           1 of 9 packages was\n                                                                           missing a DFAS 1400\n                                                                           form (Telecommuting\n                                                                           Agreement).\n                                                                       Of the remaining eight\n                                                                       DFAS 1400 forms\n                                                                       inspected:\n\n\n\n\n                                               42\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       \xe2\x80\xa2   1 of 8 forms was\n                                                                           missing a supervisor\xe2\x80\x99s\n                                                                           signature and date.\n                                                                       DFAS management\n                                                                       indicated the testing\n                                                                       exception was caused by\n                                                                       an administrative error and\n                                                                       the exception was not\n                                                                       significant enough to\n                                                                       prevent the control activity\n                                                                       from meeting its related\n                                                                       control objective.\n                                                                       DFAS-Denver\n                                                                       We were unable to test\n                                                                       whether remote terminal\n                                                                       connections are secured\n                                                                       and are connected via\n                                                                       Government-issued\n                                                                       computers because\n                                                                       Telework packages were\n                                                                       not available for review.\n                                                                       DFAS management\n                                                                       indicated that once all\n                                                                       Government equipment\n                                                                       was returned to DFAS\n                                                                       Denver, all Telework files\n                                                                       were destroyed as part of\n                                                                       the process to recall\n                                                                       Telework personnel in\n                                                                       April, 2007.\n                                                                       DFAS management\n                                                                       indicated the testing\n                                                                       exception was caused by\n\n                                               43\n\n\x0cNo.   Control Objective            Control Activities                        Tests Performed                   Results of Testing\n\n\n                                                                                                           an administrative error and\n                                                                                                           the exception was not\n                                                                                                           significant enough to\n                                                                                                           prevent the control activity\n                                                                                                           from meeting its related\n                                                                                                           control objective.\n                                                                                                           DFAS-Indianapolis\n                                                                                                           DFAS personnel have\n                                                                                                           remote access to DCPS\n                                                                                                           using non-DoD-issued\n                                                                                                           computers which is in\n                                                                                                           violation of the DFAS\n                                                                                                           Telework policy.\n                                                                                                           DFAS management\n                                                                                                           indicated the testing\n                                                                                                           exception was caused by\n                                                                                                           an administrative error and\n                                                                                                           the exception was not\n                                                                                                           significant enough to\n                                                                                                           prevent the control activity\n                                                                                                           from meeting its related\n                                                                                                           control objective.\n\n\n\n                          2.5 \xe2\x80\x93 Data entry terminals are           Inquired with appropriate personnel     DFAS-Pensacola\n                          connected to the system only during      and observed after-hours processes to\n                                                                                                           No relevant exception\n                          specified periods of the day, which      confirm terminals are not authorized\n                                                                                                           noted.\n                          corresponds with the business hours of   to be connected after business hours.\n                          the data entry personnel.                                                        DFAS-Charleston\n                                                                                                           No relevant exception\n                                                                                                           noted.\n\n\n\n                                                         44\n\n\x0cNo.   Control Objective            Control Activities                     Tests Performed                   Results of Testing\n\n\n                                                                                                        DFAS-Denver\n                                                                                                        No relevant exception\n                                                                                                        noted.\n                                                                                                        DFAS-Indianapolis\n                                                                                                        See Control Activity 1.4 \xe2\x80\x93\n                                                                                                        DFAS-Indianapolis\n                                                                                                        (above) for testing results.\n                                                                                                        Exception Noted.\n                          2.6 \xe2\x80\x93 User IDs and passwords are      Inquired with appropriate personnel     DFAS-Pensacola\n                          required to gain access to the DCPS   and observed the DCPS log-in screen     No relevant exception\n                          application.                          to confirm that user IDs and            noted.\n                                                                passwords are required to gain access   DFAS-Charleston\n                                                                to the DCPS application.\n                                                                                                        No relevant exception\n                                                                                                        noted.\n                                                                                                        DFAS-Denver\n                                                                                                        No relevant exception\n                                                                                                        noted.\n                                                                                                        DFAS-Indianapolis\n                                                                                                        No relevant exception\n                                                                                                        noted.\n\n\n\n\n                                                        45\n\n\x0c    No.         Control Objective                     Control Activities                        Tests Performed                     Results of Testing\n\n\n3         Controls provide reasonable       3.1 \xe2\x80\x93 The detailed 592 payroll            Inquired with appropriate personnel       DFAS-Pensacola\n          assurance that DCPS               reconciliation shows all pertinent data   and inspected a 100% sample of 26\n                                                                                                                                CP1 Database\n          authorized users are restricted   describing the payroll (including total   592 reconciliations for each database\n          to access only areas needed to    disbursements, Retirement, Thrift         to confirm:                               Of the 26 592\n          complete their assigned           Savings Plan (TSP), Bonds, and other                                                reconciliation reports, we\n          responsibilities and controls     withholdings) and the related balances    1) The detailed payroll reconciliation    observed that one report\n          maintain segregation of duties.   are reconciled, in the appropriate        shows pertinent data describing the       did not have a certifying\n                                            accounting period, to corresponding       payroll (including total disbursements,   officer\xe2\x80\x99s signature.\n                                            general ledger accounts within DCPS.      Retirement, TSP, Bonds, and other\n                                                                                                                                ZKA Database\n                                            All reconciling items are investigated    withholdings) and the related balances\n                                            and cleared on a timely basis by          are reconciled, in the appropriate        Of the 26 592\n                                            supervisory personnel, prior to           accounting period, to corresponding       reconciliation reports, we\n                                            disbursement.                             general ledger accounts within DCPS;      observed that 2 of the 2812\n                                                                                                                                Statements of Withholding\n                                                                                      2) Each 592 reconciliation is approved    were not signed and dated,\n                                                                                      by management prior to disbursement;      and 3 of the 2812\n                                                                                      and                                       Statements of Withholding\n                                                                                                                                were not dated.\n                                                                                      3) Reconciling items are investigated\n                                                                                                                                DFAS-Charleston\n                                                                                      and cleared on a timely basis by\n                                                                                      supervisory personnel, prior to           ZGT Database\n                                                                                      disbursement.\n                                                                                                                                Of the 26 592\n                                                                                                                                reconciliation reports, we\n                                                                                                                                observed that one report\n                                                                                                                                was corrected by the\n                                                                                                                                preparer but not\n                                                                                                                                reconciled; 1 report did not\n                                                                                                                                balance even when a\n                                                                                                                                supplemental was\n                                                                                                                                prepared, and did not have\n                                                                                                                                the 592 preparer\xe2\x80\x99s\n                                                                                                                                signature; 3 reports were\n                                                                                                                                corrected but did not\n                                                                                                                                balance and did not have a\n\n                                                                            46\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       corresponding\n                                                                       supplemental worksheet.\n                                                                       Additionally, an\n                                                                       inconsistency was\n                                                                       confirmed in the DFAS\n                                                                       Charleston Payroll\n                                                                       Center\xe2\x80\x99s procedure for\n                                                                       recording adjustments to\n                                                                       the 592 when the report is\n                                                                       initially out of balance or\n                                                                       does not include all of the\n                                                                       lines of accounting that are\n                                                                       required for full\n                                                                       reconciliation.\n                                                                       DFAS-Denver\n                                                                       No relevant exception\n                                                                       noted.\n                                                                       DFAS-Indianapolis\n                                                                       ZPV Database\n                                                                       Of the 26 592\n                                                                       reconciliation reports, 5\n                                                                       were processed by the\n                                                                       Veterans Affairs,\n                                                                       therefore, only 21 592\n                                                                       reports were tested. Of the\n                                                                       21 592 reconciliation\n                                                                       reports inspected 2\n                                                                       withholding reports were\n                                                                       not signed.\n\n\n\n\n                                               47\n\n\x0c    No.         Control Objective                     Control Activities                     Tests Performed                 Results of Testing\n\n\n                                            3.2 \xe2\x80\x93 Summary payroll reports          Inquired with appropriate personnel    DFAS-Pensacola\n                                            including OLQs of total                and inspected summary reports and\n                                                                                                                          No relevant exception\n                                            disbursements, Retirement, Thrift      OLQs reviewed and approved by\n                                                                                                                          noted.\n                                            Savings Plan (TSP), Bonds, and other   management prior to disbursement.\n                                            withholdings are reviewed and                                                 DFAS-Charleston\n                                            approved by management prior to\n                                                                                                                          No relevant exception\n                                            disbursement.\n                                                                                                                          noted.\n                                                                                                                          DFAS-Denver\n                                                                                                                          No relevant exception\n                                                                                                                          noted.\n                                                                                                                          DFAS-Indianapolis\n                                                                                                                          No relevant exception\n                                                                                                                          noted.\n\n\n\n\n    No.         Control Objective                     Control Activities                     Tests Performed                 Results of Testing\n\n\n4         Controls provide reasonable       N/A as this is tested by the General   N/A as this is tested by the General   N/A\n          assurance that system and         Computer Controls.                     Computer Controls.\n          software changes are\n          authorized, effectively and\n          efficiently implemented, tested\n          and documented. (General\n          Computer controls only)\n\n\n\n\n                                                                            48\n\n\x0c    No.         Control Objective                    Control Activities                        Tests Performed                     Results of Testing\n\n\n6         Controls include an enterprise   6.1 \xe2\x80\x93 A Security Program has been         Inquired with appropriate personnel to    DFAS-Pensacola\n          wide security program to         prepared specific to payroll operations   confirm a Security Program for\n                                                                                                                               No relevant exception\n          review and manage risks and      and is approved by management. The        payroll operations exists. Obtained\n                                                                                                                               noted.\n          ensure policies comply with      plan is regularly tested and updated to   and inspected the date of the plans and\n          laws and regulations.            reflect the results of such tests.        corroborated with management that         DFAS-Charleston\n                                                                                     these plans are current, contain up-to-\n                                                                                                                               No relevant exception\n                                                                                     date information, and are readily\n                                                                                                                               noted.\n                                                                                     available to all relevant personnel.\n                                                                                     Inquired with management to confirm       DFAS-Denver\n                                                                                     that the plans have been approved.\n                                                                                                                               No relevant exception\n                                                                                                                               noted.\n                                                                                                                               DFAS-Indianapolis\n                                                                                                                               We could not conduct\n                                                                                                                               testing for this control\n                                                                                                                               activity. The DFAS\n                                                                                                                               Indianapolis Payroll Office\n                                                                                                                               only started processing\n                                                                                                                               payroll in May 2007;\n                                                                                                                               therefore, an FFMIA\n                                                                                                                               annual certification has not\n                                                                                                                               yet been performed.\n                                                                                                                               Since this control activity\n                                                                                                                               had not been performed at\n                                                                                                                               this location during our\n                                                                                                                               period of testing, we can\n                                                                                                                               not conclude on the\n                                                                                                                               effectiveness of this\n                                                                                                                               control.\n\n\n\n\n                                                                           49\n\n\x0c    No.         Control Objective                      Control Activities                       Tests Performed                     Results of Testing\n\n\n7         Controls provide reasonable        7.1 \xe2\x80\x93 Policies and procedures are        Inquired with appropriate personnel       DFAS-Pensacola\n          assurance that personnel and       documented to describe that only valid   and read policies and procedures to\n                                                                                                                                No relevant exception\n          payroll data processed and         and accurate changes are made to the     confirm that only valid changes are\n                                                                                                                                noted.\n          stored at the DFAS and DISA        payroll master files and payroll         made to the payroll master files and\n          (GCC) locations are valid,         withholding tables.                      payroll withholding tables.               DFAS-Charleston\n          accurate, authorized, complete,\n                                                                                                                                No relevant exception\n          [and] timely, support financial\n                                                                                                                                noted.\n          reporting requirements and\n          provide sufficient audit trails.                                                                                      DFAS-Denver\n                                                                                                                                Exceptions noted. Please\n                                                                                                                                see testing performed in\n                                                                                                                                Control Activity 7.10.\n                                                                                                                                DFAS-Indianapolis\n                                                                                                                                No relevant exception\n                                                                                                                                noted.\n\n\n\n                                             7.2 \xe2\x80\x93 Programmed validation and edit     Inquired with appropriate personnel       DFAS-Pensacola\n                                             checks identify erroneous data.          and observed programmed validation\n                                                                                                                                No relevant exception\n                                                                                      and edit checks to confirm they\n                                                                                                                                noted.\n                                                                                      identify erroneous data entered\n                                                                                      directly into DCPS.\n\n\n\n\n                                             7.3 \xe2\x80\x93 The ability to view, modify, or    Inquired with appropriate personnel       All Payroll Offices\n                                             transfer information contained in the    and inspected haphazard sample of 45\n                                                                                                                                Of the 45 SAARs selected\n                                             payroll master files is restricted to    System Access Authorization Request\n                                                                                                                                for testing, 3 employees\n                                             authorized personnel.                    forms (i.e., SAARs) to confirm the\n                                                                                                                                were no longer DCPS\n                                                                                      master file is restricted to authorized\n                                                                                                                                users and were not active\n                                                                                      personnel.\n                                                                                                                                in the system; therefore,\n\n\n                                                                             50\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       forms could not be\n                                                                       provided for these users.\n                                                                       Of the 42 non-payroll\n                                                                       SAAR forms inspected,\n                                                                       noted the following:\n                                                                       \xe2\x80\xa2   1 of 42 forms\n                                                                           indicated a user type\n                                                                           which did not match\n                                                                           the user type in the list\n                                                                           of DCPS users by\n                                                                           database;\n                                                                       \xe2\x80\xa2   3 of 42 forms\n                                                                           indicated\n                                                                           authorization types\n                                                                           which did not match\n                                                                           the authorization type\n                                                                           in the list of DCPS\n                                                                           users by database;\n                                                                       \xe2\x80\xa2   3 of 42 forms were\n                                                                           missing the DCPS\n                                                                           Security Awareness\n                                                                           (WBT) completion\n                                                                           date;\n                                                                       \xe2\x80\xa2   1 of 42 forms was\n                                                                           missing the user\xe2\x80\x99s\n                                                                           signature;\n                                                                       \xe2\x80\xa2   1 of 42 forms was\n                                                                           missing the\n                                                                           supervisor\xe2\x80\x99s signature;\n\n\n\n\n                                               51\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       \xe2\x80\xa2   9 of 42 forms were\n                                                                           missing the date of the\n                                                                           supervisor\xe2\x80\x99s signature;\n                                                                       \xe2\x80\xa2   Five of 42 forms were\n                                                                           missing the security\n                                                                           manager\xe2\x80\x99s signature;\n                                                                           and\n                                                                       \xe2\x80\xa2   10 of 42 forms were\n                                                                           missing the date of the\n                                                                           security manager\xe2\x80\x99s\n                                                                           signature.\n\n                                                                       Of the 42 payroll SAAR\n                                                                       forms inspected, noted the\n                                                                       following:\n                                                                       \xe2\x80\xa2   6 of 42 forms\n                                                                           indicated a user type\n                                                                           which did not match\n                                                                           the user type in the list\n                                                                           of DCPS users by\n                                                                           database;\n                                                                       \xe2\x80\xa2    3 of 42 forms\n                                                                           indicated\n                                                                           authorization types\n                                                                           which did not match\n                                                                           the authorization type\n                                                                           in the list of DCPS\n                                                                           users by database;\n                                                                       \xe2\x80\xa2   1 of 42 forms were\n                                                                           missing the DCPS\n                                                                           Security Awareness\n                                                                           (WBT) completion\n\n                                               52\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                           date;\n                                                                       \xe2\x80\xa2   2 of 42 forms were\n                                                                           missing the\n                                                                           supervisor\xe2\x80\x99s signature;\n                                                                       \xe2\x80\xa2   12 of 42 forms were\n                                                                           missing the date of the\n                                                                           supervisor\xe2\x80\x99s signature;\n                                                                       \xe2\x80\xa2   2 of 42 forms were\n                                                                           missing the security\n                                                                           manager\xe2\x80\x99s signature;\n                                                                           and\n                                                                       \xe2\x80\xa2   4 of 42 forms were\n                                                                           missing the date of the\n                                                                           security manager\xe2\x80\x99s\n                                                                           signature.\n                                                                       Furthermore, we noted that\n                                                                       for Payroll Office user\n                                                                       testing, the forms that had\n                                                                       user types which did not\n                                                                       match the list of DCPS\n                                                                       users by database are\n                                                                       actually for Non-Payroll\n                                                                       personnel who have\n                                                                       Payroll Office access\n                                                                       (based on the site activity\n                                                                       code). The forms provided\n                                                                       indicate that five of the six\n                                                                       individuals are human\n                                                                       resources personnel (P)\n                                                                       with view (V) access; the\n                                                                       sixth individual is\n                                                                       accounting personnel (V)\n\n\n                                               53\n\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                  Results of Testing\n\n\n                                                                                                           with accounting technician\n                                                                                                           (J) access.\n                                                                                                           However, all six\n                                                                                                           individuals were included\n                                                                                                           in the list of DCPS users\n                                                                                                           by database as N, V\n                                                                                                           combinations; meaning\n                                                                                                           that rather than inputting\n                                                                                                           the user type/indicator\n                                                                                                           code into DCPS as it\n                                                                                                           appeared on the DISA\n                                                                                                           195-1 form, technicians\n                                                                                                           entered these users with\n                                                                                                           \xe2\x80\x9cN\xe2\x80\x9d user type/indicator\n                                                                                                           codes with \xe2\x80\x9cV\xe2\x80\x9d\n                                                                                                           authorization types; an\n                                                                                                           authorization type which is\n                                                                                                           correct for 5 of the 6 users.\n\n                          7.4 \xe2\x80\x93 Changes to the payroll              Inquired with appropriate personnel    DFAS-Pensacola\n                          withholding tables and master files are   and observed the process of tax\n                                                                                                           No relevant exception\n                          compared to authorized source             changes to the payroll withholding\n                                                                                                           noted.\n                          documents by supervisory personnel        tables and master files being\n                          to ensure that they were input            compared to authorized source          DFAS-Charleston\n                          accurately.                               documents by supervisory personnel\n                                                                                                           No relevant exception\n                                                                    to confirm that they were tested and\n                                                                                                           noted.\n                                                                    approved.\n                                                                                                           DFAS-Denver\n                                                                    Inquired with appropriate personnel\n                                                                                                           No relevant exception\n                                                                    and observed the Imaging process to\n                                                                                                           noted.\n                                                                    confirm that inputs are compared to\n                                                                    authorized Imaging documents to\n                                                                    confirm that they were input\n                                                                    accurately.\n\n\n                                                          54\n\n\x0cNo.   Control Objective            Control Activities                      Tests Performed                     Results of Testing\n\n\n                                                                                                           DFAS-Indianapolis\n                                                                                                           No relevant exception\n                                                                                                           noted.\n\n                          7.5 \xe2\x80\x93 Policies and procedures are      Inquired with appropriate personnel       DFAS-Pensacola\n                          documented to describe that changes    and read policies and procedures to\n                                                                                                           No relevant exception\n                          made to the payroll master files and   confirm that changes to the payroll\n                                                                                                           noted.\n                          withholding tables are authorized,     master files and withholding tables are\n                          input, and processed timely.           authorized, input, and processed\n                                                                 timely.\n\n\n\n\n                          7.6 \xe2\x80\x93 Policies and procedures are      Inquired with appropriate personnel       DFAS-Charleston\n                          documented to describe that changes    and read policies and procedures to\n                                                                                                           No relevant exception\n                          made to the payroll master files and   confirm that changes to the payroll\n                                                                                                           noted.\n                          withholding tables are authorized,     master files and withholding tables are\n                          input, and processed timely.           authorized, input, and processed\n                                                                 timely.\n\n\n\n\n                          7.7 \xe2\x80\x93 Policies and procedures are      Inquired with appropriate personnel       DFAS-Denver\n                          documented to describe that changes    and read policies and procedures to\n                                                                                                           Exceptions noted. Please\n                          made to the payroll master files and   confirm that changes to the payroll\n                                                                                                           see testing performed in\n                          withholding tables are authorized,     master files and withholding tables are\n                                                                                                           Control Activity 7.10.\n                          input, and processed timely.           authorized, input, and processed\n                                                                 timely.\n\n\n\n\n                                                         55\n\n\x0cNo.   Control Objective            Control Activities                        Tests Performed                     Results of Testing\n\n\n                          7.8 \xe2\x80\x93 Policies and procedures are        Inquired with appropriate personnel       DFAS-Indianapolis\n                          documented to describe that changes      and read policies and procedures to\n                                                                                                             No relevant exception\n                          made to the payroll master files and     confirm that changes to the payroll\n                                                                                                             noted.\n                          withholding tables are authorized,       master files and withholding tables are\n                          input, and processed timely.             authorized, input, and processed\n                                                                   timely.\n\n\n\n\n                          7.9 \xe2\x80\x93 Changes to the payroll master      Inquired with appropriate personnel       DFAS-Pensacola\n                          file and withholding table data are      and inspected reports to confirm that\n                                                                                                             No relevant exception\n                          logged in numerous reports and           changes to the payroll master file and\n                                                                                                             noted.\n                          reviewed by supervisory personnel to     table data are logged and reviewed by\n                          ensure that all requested changes are    supervisory personnel.                    DFAS-Charleston\n                          processed timely.\n                                                                                                             No relevant exception\n                                                                                                             noted.\n                                                                                                             DFAS-Denver\n                                                                                                             No relevant exception\n                                                                                                             noted.\n                                                                                                             DFAS-Indianapolis\n                                                                                                             No Relevant Exceptions\n                                                                                                             Noted.\n                          7.10 \xe2\x80\x93 Requests to change the payroll    Inquired with appropriate personnel       DFAS-Pensacola\n                          master file data and withholding table   and inspected a haphazard sample of\n                                                                                                             Of the 45 remedy tickets\n                          are submitted on pre-numbered            45 Remedy Tickets to confirm the\n                                                                                                             inspected, 4 were not\n                          Remedy Tickets; the numerical            requests:\n                                                                                                             completed within the\n                          sequence of the Remedy Tickets is\n                                                                   \xe2\x80\xa2 are pre-numbered;                       escalation timeframe\n                          accounted for to ensure that the\n                                                                   \xe2\x80\xa2 the sequence is accounted for so that   prescribed by\n                          requested changes are processed\n                                                                   the forms are accounted for timely;       management.\n                          timely. Access to source documents is\n                                                                   \xe2\x80\xa2 access to the source documents is\n\n                                                         56\n\n\x0cNo.   Control Objective            Control Activities                     Tests Performed            Results of Testing\n\n\n                          controlled; Key source documents      controlled; and                  DFAS management\n                          require signatures from supervisory   \xe2\x80\xa2 key source documents require   indicated the testing\n                          personnel.                            signatures from supervisory      exception was caused by\n                                                                personnel.                       an administrative error and\n                                                                                                 the exception was not\n                                                                                                 significant enough to\n                                                                                                 prevent the control activity\n                                                                                                 from meeting its related\n                                                                                                 control objective.\n                                                                                                 DFAS-Charleston\n                                                                                                 The numerical sequence of\n                                                                                                 the remedy tickets was not\n                                                                                                 continuous.\n                                                                                                 Of the universe of remedy\n                                                                                                 tickets inspected, there\n                                                                                                 were 13 remedy tickets\n                                                                                                 missing.\n                                                                                                 DFAS-Denver\n                                                                                                 Of the 45 remedy tickets\n                                                                                                 inspected; 1 was not\n                                                                                                 processed within the\n                                                                                                 escalation timeframe\n                                                                                                 prescribed by\n                                                                                                 management.\n                                                                                                 DFAS management\n                                                                                                 indicated the testing\n                                                                                                 exception was caused by\n                                                                                                 an administrative error and\n                                                                                                 the exception was not\n                                                                                                 significant enough to\n\n\n\n\n                                                         57\n\n\x0cNo.   Control Objective            Control Activities                        Tests Performed                    Results of Testing\n\n\n                                                                                                            prevent the control activity\n                                                                                                            from meeting its related\n                                                                                                            control objective.\n                                                                                                            DFAS-Indianapolis\n                                                                                                            No relevant exception\n                                                                                                            noted.\n\n\n\n                          7.11 \xe2\x80\x93 Payroll master file data and      Inquired with appropriate personnel      DFAS-Pensacola\n                          withholding table data are edited and    and inspected a sample of 45\n                                                                                                            Of the 45 Personnel\n                          validated and errors identified on the   Personnel Interface Invalid Reports of\n                                                                                                            Interface Invalid Reports\n                          Personnel Interface Invalid Report are   erroneous transactions to confirm\n                                                                                                            selected for review, 16\n                          corrected promptly.                      items are investigated and resolved\n                                                                                                            could not be located. Of\n                                                                   timely.\n                                                                                                            the 29 Personnel Interface\n                                                                                                            Invalid Reports inspected:\n                                                                                                            \xe2\x80\xa2 8 reports were missing\n                                                                                                                 the technician\xe2\x80\x99s\n                                                                                                                 signature on the\n                                                                                                                 report;\n                                                                                                            \xe2\x80\xa2 8 reports were missing\n                                                                                                                 the date of when the\n                                                                                                                 report was annotated\n                                                                                                                 by the technician; and\n                                                                                                            \xe2\x80\xa2 29 were inconsistently\n                                                                                                                 annotated with codes\n                                                                                                                 outlined in the SOP.\n                                                                                                            We confirmed that the\n                                                                                                            requirement for\n                                                                                                            technicians to annotate\n                                                                                                            every transaction did not\n                                                                                                            take effect until\n                                                                                                            May 27, 2007. One report\n\n                                                         58\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       in the random sample fell\n                                                                       after this date (June 18,\n                                                                       2007). We scanned this\n                                                                       report and noted that the\n                                                                       technician annotating this\n                                                                       report failed to comply\n                                                                       with the new requirement,\n                                                                       and transactions were\n                                                                       annotated inconsistently.\n                                                                       None of the 29 reports\n                                                                       provided and scanned\n                                                                       contained sufficient detail\n                                                                       to confirm resolution of all\n                                                                       errors in the reports.\n                                                                       DFAS-Charleston\n                                                                       Of the 45 Personnel\n                                                                       Interface Invalid Reports\n                                                                       selected for review, no\n                                                                       interface errors occurred\n                                                                       for 9 of the reports\n                                                                       selected. Of the 36\n                                                                       Personnel Interface Invalid\n                                                                       Reports inspected, only 1\n                                                                       was not annotated\n                                                                       correctly.\n                                                                       Furthermore, evidence of\n                                                                       supervisory review of\n                                                                       Personnel Interface Invalid\n                                                                       Reports could not be\n                                                                       obtained for the sample\n                                                                       selected in Control\n                                                                       Activities 7.11/7.23.\n\n\n                                               59\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       The Personnel Interface\n                                                                       Invalid Reports SOP states\n                                                                       a supervisor reviews 10%\n                                                                       of the Payroll Technician\xe2\x80\x99s\n                                                                       annotated reports on file.\n                                                                       DFAS-Denver\n                                                                       OMA Database\n                                                                       Of the 45 Personnel\n                                                                       Interface Invalid Reports\n                                                                       inspected, 5 reports\n                                                                       provided did not contain\n                                                                       annotations by the payroll\n                                                                       office technician for each\n                                                                       line item that described the\n                                                                       error correction method.\n                                                                       ZPA Database\n                                                                       Of the 45 Personnel\n                                                                       Interface Invalid Reports\n                                                                       selected, 1 report could not\n                                                                       be located for review.\n                                                                       DFAS-Indianapolis\n                                                                       ZPV Database\n                                                                       ZPV Personnel Interface\n                                                                       Invalid Reports processing\n                                                                       was performed at the\n                                                                       Pensacola Payroll Office\n                                                                       from August 20, 2006,\n                                                                       through May 12, 2007.\n                                                                       The Pensacola Payroll\n                                                                       Office was unable to\n                                                                       supply Personnel Interface\n\n                                               60\n\n\x0cNo.   Control Objective            Control Activities                        Tests Performed                 Results of Testing\n\n\n                                                                                                         Invalid Reports\n                                                                                                         documentation for August\n                                                                                                         20, 2006, through January\n                                                                                                         19, 2007; therefore, testing\n                                                                                                         could not be conducted for\n                                                                                                         this timeframe.\n                                                                                                         Of the reports requested\n                                                                                                         for the remaining audit\n                                                                                                         period (26 reports in total),\n                                                                                                         one could not be located.\n                                                                                                         Of the 25 inspected, 15\n                                                                                                         were missing a date; 1 did\n                                                                                                         not include a technician\xe2\x80\x99s\n                                                                                                         signature; and 4 were not\n                                                                                                         properly annotated.\n                          7.12 \xe2\x80\x93 Policies and procedures are       Inquired with appropriate personnel   DFAS-Pensacola\n                          documented to describe that payroll      and read policies and procedures to\n                                                                                                         No relevant exception\n                          processing is accurate and recorded in   confirm that payroll processing is\n                                                                                                         noted.\n                          the proper period.                       accurate and recorded in the\n                                                                   appropriate period.                   DFAS-Charleston\n                                                                                                         No relevant exception\n                                                                                                         noted.\n                                                                                                         DFAS-Denver\n                                                                                                         No relevant exception\n                                                                                                         noted.\n                                                                                                         DFAS-Indianapolis\n                                                                                                         No relevant exception\n                                                                                                         noted.\n\n\n\n\n                                                         61\n\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                     Results of Testing\n\n\n                          7.13 \xe2\x80\x93 Compliance with the payroll        Inquired with appropriate personnel       DFAS-Pensacola\n                          disbursement processing schedule is       and inspected pay processing\n                                                                                                              No relevant exception\n                          monitored by management.                  schedules and observed payroll\n                                                                                                              noted.\n                                                                    disbursement process to confirm\n                                                                    management monitored payroll              DFAS-Charleston\n                                                                    disbursement processing schedule.\n                                                                                                              No relevant exception\n                                                                                                              noted.\n\n\n                                                                                                              DFAS-Denver\n                                                                                                              No relevant exception\n                                                                                                              noted.\n                                                                                                              DFAS-Indianapolis\n                                                                                                              No relevant exception\n                                                                                                              noted.\n\n\n                          7.14 \xe2\x80\x93 The detailed 592 payroll           Inquired with appropriate personnel       DFAS-Pensacola\n                          reconciliation shows all pertinent data   and inspected a 100% sample of 26\n                                                                                                              CP1 Database\n                          describing the payroll (including total   592 reconciliations for each database\n                          disbursements, Retirement, Thrift         to confirm:                               Of the 26 592\n                          Savings Plan (TSP), bonds, and other                                                reconciliation reports, we\n                          withholdings) and the related balances    1) The detailed payroll reconciliation    observed that 1 report did\n                          are reconciled, in the appropriate        shows pertinent data describing the       not have a certifying\n                          accounting period, to corresponding       payroll (including total disbursements,   officer\xe2\x80\x99s signature.\n                          general ledger accounts within DCPS.      Retirement, TSP, bonds, and other\n                                                                                                              ZKA Database\n                          All reconciling items are investigated    withholdings) and the related balances\n                          and cleared on a timely basis by          are reconciled, in the appropriate        Of the 26 592\n                          supervisory personnel, prior to           accounting period, to corresponding       reconciliation reports, we\n                          disbursement.                             general ledger accounts within DCPS;      observed that 2 of the 2812\n                                                                                                              Statements of Withholding\n                                                                                                              were not signed and dated,\n\n\n                                                          62\n\n\x0cNo.   Control Objective   Control Activities                   Tests Performed                    Results of Testing\n\n\n                                                                                              and 3 of the 2812\n                                                     2) Each 592 reconciliation is approved\n                                                                                              Statements of Withholding\n                                                     by management prior to disbursement;\n                                                                                              were not dated.\n                                                     and\n                                                                                              DFAS-Charleston\n                                                     3) Reconciling items are investigated\n                                                     and cleared on a timely basis by         ZGT Database\n                                                     supervisory personnel, prior to\n                                                                                              Of the 26 592\n                                                     disbursement.\n                                                                                              reconciliation reports, we\n                                                                                              observed that 1 report was\n                                                                                              corrected by the preparer\n                                                                                              but not reconciled; 1 report\n                                                                                              did not balance when a\n                                                                                              supplemental 592 was\n                                                                                              prepared, and it did not\n                                                                                              have the 592 preparer\xe2\x80\x99s\n                                                                                              signature; 3 reports were\n                                                                                              corrected but did not\n                                                                                              balance and did not have a\n                                                                                              corresponding\n                                                                                              supplemental worksheet.\n                                                                                              Additionally, an\n                                                                                              inconsistency was\n                                                                                              confirmed in the DFAS\n                                                                                              Charleston Payroll\n                                                                                              Center\xe2\x80\x99s procedure for\n                                                                                              recording adjustments to\n                                                                                              the 592 when the report is\n                                                                                              initially out of balance or\n                                                                                              does not include all of the\n                                                                                              lines of accounting that are\n                                                                                              required for full\n                                                                                              reconciliation.\n\n\n\n\n                                               63\n\n\x0cNo.   Control Objective            Control Activities                       Tests Performed                  Results of Testing\n\n\n                                                                                                         DFAS-Denver\n                                                                                                         No relevant exception\n                                                                                                         noted.\n                                                                                                         DFAS-Indianapolis\n                                                                                                         ZPV Database\n                                                                                                         Of the 26 592\n                                                                                                         reconciliation reports, 5\n                                                                                                         were processed by the\n                                                                                                         Veterans Affairs,\n                                                                                                         therefore, only 21 592\n                                                                                                         reports were tested. Of the\n                                                                                                         21 592 reconciliation\n                                                                                                         reports inspected, 2\n                                                                                                         withholding reports were\n                                                                                                         not signed.\n\n                          7.15 \xe2\x80\x93 Summary payroll reports          Inquired with appropriate personnel,   DFAS-Pensacola\n                          including OLQs of total                 obtained and inspected summary\n                                                                                                         No relevant exception\n                          disbursements, Retirement, Thrift       payroll reports and OLQs to confirm\n                                                                                                         noted.\n                          Savings Plan (TSP), Bonds, and other    the following:\n                          withholdings are periodically                                                  DFAS-Charleston\n                                                                  \xe2\x80\xa2   Payroll master files and\n                          reviewed by supervisory personnel for\n                                                                      withholding tables are             No relevant exception\n                          accuracy and ongoing pertinence of\n                                                                      periodically reviewed by           noted.\n                          the payroll master file and\n                                                                      supervisory personnel for\n                          withholding tables, and approved by                                            DFAS-Denver\n                                                                      accuracy and ongoing pertinence;\n                          management prior to disbursement.\n                                                                      and                                No relevant exception\n                                                                                                         noted.\n                                                                  \xe2\x80\xa2   Reports are approved by\n                                                                      management prior to                DFAS-Indianapolis\n                                                                      disbursement.\n                                                                                                         No relevant exception\n                                                                                                         noted.\n\n\n\n                                                        64\n\n\x0cNo.   Control Objective            Control Activities                       Tests Performed                 Results of Testing\n\n\n                          7.16 \xe2\x80\x93 Policies and procedures are      Inquired with appropriate personnel   DFAS-Pensacola\n                          documented to describe that disbursed   and read policies and procedures to\n                                                                                                        No relevant exception\n                          payroll (including compensation and     confirm that disbursed payroll is\n                                                                                                        noted.\n                          withholding) is accurately calculated   accurately calculated and recorded.\n                          and recorded.                                                                 DFAS-Charleston\n                                                                                                        No relevant exception\n                                                                                                        noted.\n                                                                                                        DFAS-Denver\n                                                                                                        No relevant exception\n                                                                                                        noted.\n                                                                                                        DFAS-Indianapolis\n                                                                                                        Exceptions noted. See\n                                                                                                        testing performed in\n                                                                                                        Control Activity 7.21.\n                          7.17 \xe2\x80\x93 DCPS performs limit and          Inquired with appropriate personnel   DFAS-Pensacola\n                          reasonableness checks on employee       and inspected a limit and\n                                                                                                        No relevant exception\n                          earnings.                               reasonableness report to confirm\n                                                                                                        noted.\n                                                                  reasonableness checks are performed\n                                                                  on employee earnings.                 DFAS-Charleston\n                                                                                                        We noted that large payroll\n                                                                                                        increases occurred in the\n                                                                                                        pay periods ending March\n                                                                                                        17, 2007, and May 12,\n                                                                                                        2007, for the ZPD payroll\n                                                                                                        database and the ZFR\n                                                                                                        payroll database\n                                                                                                        respectively. These large\n                                                                                                        increases were for annual\n                                                                                                        pay bonuses that were paid\n                                                                                                        in the appropriate pay\n                                                                                                        period. DFAS-Charleston\n\n                                                        65\n\n\x0cNo.   Control Objective            Control Activities                      Tests Performed                    Results of Testing\n\n\n                                                                                                          was unable to provide us\n                                                                                                          documentation to confirm\n                                                                                                          the reasons that were\n                                                                                                          given for the large payroll\n                                                                                                          increases. DCPS does not\n                                                                                                          have a limit or\n                                                                                                          reasonableness check\n                                                                                                          requirement to identify\n                                                                                                          variances at the total\n                                                                                                          payroll level.\n                                                                                                          DFAS-Denver\n                                                                                                          No relevant exception\n                                                                                                          noted.\n                                                                                                          DFAS-Indianapolis\n                                                                                                          Confirmed the Less than\n                                                                                                          $1 Greater than $5,000\n                                                                                                          Desk Guide did not have\n                                                                                                          documented procedures\n                                                                                                          requiring a supervisor to\n                                                                                                          review 10% of the entries\n                                                                                                          in the report, or the\n                                                                                                          requirement to evidence\n                                                                                                          the review with a signature\n                                                                                                          or similar notation.\n                          7.18 \xe2\x80\x93 Policies and procedures are     Inquired with appropriate personnel      DFAS-Pensacola\n                          documented to describe that only       and read policies and procedures to\n                                                                                                          No relevant exception\n                          valid, authorized employees are paid   confirm that only valid, authorized\n                                                                                                          noted.\n                          and that payroll is disbursed to       employees are paid and that payroll is\n                          appropriate employees.                 disbursed to appropriate employees.      DFAS-Charleston\n                                                                                                          No relevant exception\n                                                                                                          noted.\n\n\n                                                         66\n\n\x0cNo.   Control Objective            Control Activities                       Tests Performed                    Results of Testing\n\n\n                                                                                                           DFAS-Denver\n                                                                                                           No relevant exception\n                                                                                                           noted.\n                                                                                                           DFAS-Indianapolis\n                                                                                                           No relevant exception\n                                                                                                           noted.\n\n\n                          7.19 \xe2\x80\x93 Supervisory personnel            Inquired with appropriate personnel      DFAS-Pensacola\n                          periodically review listings, such as   and inspected the Personnel/Payroll\n                                                                                                           Noted the Pensacola\n                          the Personnel/Payroll Reconciliation    Reconciliation Report to confirm it is\n                                                                                                           Payroll Office does not\n                          Report, of current employees within     sent to management for review of\n                                                                                                           send a letter of completion\n                          each user organization and notify the   employee listings personnel\n                                                                                                           signed by the supervisor to\n                          corresponding user organization\xe2\x80\x99s       department notified of changes.\n                                                                                                           the personnel offices as\n                          personnel department of necessary\n                                                                  Obtained and inspected a sample of       documented in the SOP.\n                          changes.\n                                                                  45 Personnel/Payroll Reconciliation\n                                                                                                           Of the 45\n                                                                  Reports, along with the corresponding\n                                                                                                           Personnel/Payroll\n                                                                  supervisor document log, to confirm\n                                                                                                           Reconciliation Reports\n                                                                  items that require resolution are\n                                                                                                           inspected, 1 report for\n                                                                  investigated and resolved by the\n                                                                                                           Thrift Savings Plan (TSP)\n                                                                  appropriate personnel. Additionally,\n                                                                                                           changes, which is handled\n                                                                  inspected the supervisor document log\n                                                                                                           by the Support Services\n                                                                  to confirm the quarterly Pay Personnel\n                                                                                                           Branch, could not be\n                                                                  Reports are logged and both\n                                                                                                           located. Additionally, we\n                                                                  supervisor and personnel signatures\n                                                                                                           identified that reports that\n                                                                  are captured.\n                                                                                                           go to that branch are not\n                                                                                                           maintained with a cover\n                                                                                                           sheet as required by the\n                                                                                                           SOP. Four reports were\n                                                                                                           not completed within 10\n                                                                                                           working days as required\n\n\n                                                         67\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       by the SOP.\n\n                                                                       DFAS-Charleston\n\n                                                                       DFAS-Charleston did not\n                                                                       receive any\n                                                                       Personnel/Payroll\n                                                                       Reconciliation Reports for\n                                                                       3 of the 4 quarters of our\n                                                                       audit period and received\n                                                                       only 4 reports for another\n                                                                       quarter. The most recent\n                                                                       quarter reports were\n                                                                       supplied; however, we\n                                                                       were unable to test as the\n                                                                       reconciliation process was\n                                                                       not yet complete.\n                                                                       Therefore, testing could\n                                                                       not be performed.\n                                                                       Furthermore, for the\n                                                                       reports that were supplied,\n                                                                       noted the Charleston\n                                                                       Payroll Office does not\n                                                                       create adequate cover\n                                                                       sheets for the\n                                                                       Personnel/Payroll Reports\n                                                                       as required by the DFAS\n                                                                       entity-wide\n                                                                       Personnel/Payroll\n                                                                       Reconciliation SOP.\n\n\n\n\n                                               68\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       DFAS-Denver\n\n                                                                       DFAS Denver does not\n                                                                       retain Personnel/Payroll\n                                                                       Reconciliation packages\n                                                                       (i.e., coversheet, report) as\n                                                                       required by the DFAS Pay\n                                                                       Personnel Reconciliation\n                                                                       SOP; therefore, testing\n                                                                       could not be performed.\n\n                                                                       DFAS-Indianapolis\n\n                                                                       We could not conduct\n                                                                       testing for this control\n                                                                       activity. The Indianapolis\n                                                                       Payroll Office has not yet\n                                                                       performed reconciliation\n                                                                       between the personnel\n                                                                       system, Defense Civilian\n                                                                       Personnel Data System\n                                                                       (DCPDS), and DCPS as it\n                                                                       has only processed 3\n                                                                       payrolls within the audit\n                                                                       period.\n\n                                                                       Since this control activity\n                                                                       had not been performed at\n                                                                       this location during our\n                                                                       period of testing, we can\n                                                                       not conclude on the\n                                                                       effectiveness of this\n                                                                       control.\n\n\n\n                                               69\n\n\x0cNo.   Control Objective             Control Activities                       Tests Performed                   Results of Testing\n\n\n                          7.20 \xe2\x80\x93 Only authorized personnel have    Inquired with the appropriate           All Payroll Offices\n                          the ability to disburse payroll.         personnel, observed the disbursement\n                                                                                                           Of the 56 SAAR forms\n                                                                   of payroll, and inspected a sample of\n                                                                                                           inspected for persons with\n                                                                   45 DCPS user profiles to confirm that\n                                                                                                           the ability to disburse\n                                                                   only authorized personnel have the\n                                                                                                           payroll, 1 was missing a\n                                                                   ability to disburse payroll.\n                                                                                                           supervisor signature.\n\n\n                          7.21 \xe2\x80\x93 Policies and procedures are       Inquired with appropriate personnel     DFAS-Pensacola\n                          documented to describe that controls     and read policies and procedures to\n                                                                                                           No relevant exception\n                          provide reasonable assurance of the      confirm that controls provide\n                                                                                                           noted.\n                          integrity and reliability of DCPS data   reasonable assurance of the integrity\n                          for financial reporting purposes.        and reliability of DCPS data for        DFAS-Charleston\n                                                                   financial reporting purposes.\n                                                                                                           A policy and/or procedure\n                                                                                                           does not exist that requires\n                                                                                                           the 592 reconciler to\n                                                                                                           identify an increase in total\n                                                                                                           payroll or to document and\n                                                                                                           include the reason for\n                                                                                                           increase in the 592 file\n                                                                                                           when one occurs (see\n                                                                                                           additional results of testing\n                                                                                                           in Control Activity 7.19).\n                                                                                                           DFAS-Denver\n                                                                                                           No relevant exception\n                                                                                                           noted.\n                                                                                                           DFAS-Indianapolis\n                                                                                                           Policies and procedures for\n                                                                                                           reconciling the 592 reports\n                                                                                                           have not been developed\n                                                                                                           and documented.\n\n\n                                                          70\n\n\x0cNo.   Control Objective             Control Activities                       Tests Performed                     Results of Testing\n\n\n                          7.22 \xe2\x80\x93 Payroll transactions at the end   Inquired with appropriate personnel       DFAS-Pensacola\n                          of a payroll cycle are reconciled by     and inspected a 100% sample of 26\n                                                                                                             CP1 Database\n                          supervisory personnel to ensure          592 payroll reconciliations at the end\n                          complete and consistent recording in     of a payroll cycle to confirm they are    Of the 26 592\n                          the appropriate accounting period.       reconciled to confirm complete and        reconciliation reports, we\n                                                                   consistent recording in the appropriate   observed that 1 report did\n                                                                   accounting period.                        not have a certifying\n                                                                                                             officer\xe2\x80\x99s signature.\n                                                                                                             ZKA Database\n                                                                                                             Of the 26 592\n                                                                                                             reconciliation reports, we\n                                                                                                             observed that 2 of the 2812\n                                                                                                             Statements of Withholding\n                                                                                                             were not signed and dated,\n                                                                                                             and 3 of the 2812\n                                                                                                             Statements of Withholding\n                                                                                                             were not dated.\n                                                                                                             DFAS-Charleston\n                                                                                                             ZGT Database\n                                                                                                             Of the 26 592\n                                                                                                             reconciliation reports, we\n                                                                                                             observed that 1 report was\n                                                                                                             corrected by the preparer\n                                                                                                             but not reconciled; 1 report\n                                                                                                             did not balance when a\n                                                                                                             supplemental was\n                                                                                                             prepared, and it did not\n                                                                                                             have the 592 preparer\xe2\x80\x99s\n                                                                                                             signature; 3 reports were\n                                                                                                             corrected but did not\n                                                                                                             balance and did not have a\n                                                                                                             corresponding\n\n                                                          71\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       supplemental worksheet.\n                                                                       Additionally, an\n                                                                       inconsistency was\n                                                                       confirmed in the DFAS\n                                                                       Charleston Payroll\n                                                                       Center\xe2\x80\x99s procedure for\n                                                                       recording adjustments to\n                                                                       the 592 when the report is\n                                                                       initially out of balance or\n                                                                       does not include all of the\n                                                                       lines of accounting that are\n                                                                       required for full\n                                                                       reconciliation.\n                                                                       DFAS-Denver\n                                                                       No relevant exception\n                                                                       noted.\n                                                                       DFAS-Indianapolis\n                                                                       ZPV Database\n                                                                       Of the 26 592\n                                                                       reconciliation reports\n                                                                       requested, 5 pay periods\n                                                                       were processed and\n                                                                       reconciled by the Veterans\n                                                                       Affairs on their own\n                                                                       behalf, therefore, only 21\n                                                                       592 reports were\n                                                                       considered in scope and\n                                                                       tested. Of the 21 592\n                                                                       reconciliation reports\n                                                                       inspected 2 withholding\n                                                                       reports were not signed.\n\n\n                                               72\n\n\x0cNo.   Control Objective            Control Activities                         Tests Performed                     Results of Testing\n\n\n                          7.23 \xe2\x80\x93 Error reports, such as the         Inquired with appropriate personnel       DFAS-Pensacola\n                          Personnel Interface Invalid Report,       and obtained a sample of 45 Personnel\n                                                                                                              Of the 45 Personnel\n                          and error warnings show rejected          Interface Invalid Reports to confirm\n                                                                                                              Interface Invalid Reports\n                          transactions with error messages that     the following:\n                                                                                                              selected for review, 16\n                          have clear understandable corrective\n                                                                    \xe2\x80\xa2   the reports show rejected             could not be located. Of\n                          actions for each type of error.\n                                                                        transactions with error messages      the 29 Personnel Interface\n                          Rejected data are automatically               that have clear understandable        Invalid Reports inspected:\n                          written to the Personnel Interface            corrective actions for each type of\n                                                                                                              \xe2\x80\xa2   8 reports were missing\n                          Invalid Report and held until corrected       error;\n                                                                                                                  the technician\xe2\x80\x99s\n                          by payroll technicians, and each\n                                                                    \xe2\x80\xa2   the rejected data are                     signature on the\n                          erroneous transaction is annotated\n                                                                        automatically written on an               report;\n                          with codes indicating the type of data\n                                                                        automated error suspense file and\n                          error, date and time the transaction                                                \xe2\x80\xa2   8 reports were missing\n                                                                        held until corrected by payroll\n                          was processed and the error identified,                                                 the date of when the\n                                                                        technicians, and each erroneous\n                          and the identity of the user who                                                        report was annotated\n                                                                        transaction is annotated with\n                          originated the transaction.                                                             by the technician; and\n                                                                        codes indicating the type of data\n                          Users review the Personnel Interface          error, date and time the              \xe2\x80\xa2   29 were inconsistently\n                          Invalid Reports for data accuracy,            transaction was processed, the            annotated with codes\n                          validity, and completeness.                   error identified, and the identity        outlined in the SOP.\n                                                                        of the user who originated the\n                          A control group is responsible for                                                  We confirmed that the\n                                                                        transaction;\n                          controlling and monitoring rejected                                                 requirement for\n                          transactions included on the Personnel    \xe2\x80\xa2   users review output for data          technicians to annotate\n                          Interface Invalid Report.                     accuracy, validity, and               every transaction did not\n                                                                        completeness; and                     take effect until\n                                                                                                              May 27, 2007. One report\n                                                                    \xe2\x80\xa2   the report is used for controlling\n                                                                                                              in the random sample fell\n                                                                        and monitoring rejected\n                                                                                                              after this date (June 18,\n                                                                        transactions.\n                                                                                                              2007). We scanned this\n                                                                                                              report and noted that the\n                                                                                                              technician annotating this\n                                                                                                              report failed to comply\n                                                                                                              with the new requirement\n                                                                                                              and transactions were\n\n                                                          73\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       annotated inconsistently.\n                                                                       All 29 reports did not\n                                                                       include the technician\xe2\x80\x99s\n                                                                       annotation for each line\n                                                                       item to confirm resolution\n                                                                       of all errors in the reports.\n                                                                       DFAS-Charleston\n                                                                       Of the 45 Personnel\n                                                                       Interface Invalid Reports\n                                                                       selected for review, no\n                                                                       interface errors occurred\n                                                                       for 9 of the reports\n                                                                       selected. Of the 36\n                                                                       Personnel Interface Invalid\n                                                                       Reports inspected, 1 was\n                                                                       not annotated correctly.\n                                                                       Furthermore, evidence of\n                                                                       supervisory review of\n                                                                       Personnel Interface Invalid\n                                                                       Reports (PIIR) could not\n                                                                       be obtained for the sample\n                                                                       selected in Control\n                                                                       Activities 7.11/7.23.\n                                                                       The PIIR SOP states a\n                                                                       supervisor reviews 10% of\n                                                                       the Payroll Technician\xe2\x80\x99s\n                                                                       annotated reports on file.\n                                                                       DFAS-Denver\n                                                                       OMA Database\n                                                                       Of the 45 Personnel\n                                                                       Interface Invalid Reports\n\n                                               74\n\n\x0cNo.   Control Objective   Control Activities         Tests Performed       Results of Testing\n\n\n                                                                       inspected, 5 did not\n                                                                       contain annotations by the\n                                                                       payroll office technician\n                                                                       for each line item that\n                                                                       described the error\n                                                                       correction method.\n                                                                       ZPA Database\n                                                                       Of the 45 Personnel\n                                                                       Interface Invalid Reports\n                                                                       inspected, 1 could not be\n                                                                       located for review.\n                                                                       DFAS-Indianapolis\n                                                                       ZPV Database\n                                                                       ZPV PIIR processing was\n                                                                       performed at the Pensacola\n                                                                       Payroll Office from\n                                                                       August 20, 2006 through\n                                                                       May 12, 2007. The\n                                                                       Pensacola Payroll Office\n                                                                       was unable to supply PIIR\n                                                                       documentation for August\n                                                                       20, 2006 through January\n                                                                       19, 2007; therefore, testing\n                                                                       could not be conducted for\n                                                                       this timeframe.\n                                                                       Of the reports requested\n                                                                       for the remaining period of\n                                                                       the audit period (26 reports\n                                                                       in total), 1 could not be\n                                                                       located. Of the 25\n                                                                       inspected, 15 reports were\n                                                                       missing a date, 1 did not\n\n                                               75\n\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                 Results of Testing\n\n\n                                                                                                          have a technician\xe2\x80\x99s\n                                                                                                          signature, and 4 were not\n                                                                                                          properly annotated.\n\n\n                          7.24 \xe2\x80\x93 Policies and procedures are        Inquired with appropriate personnel   DFAS-Pensacola\n                          documented to describe that               and read policies and procedures to\n                                                                                                          No relevant exception\n                          capabilities exist for fiscal year-end,   confirm that capabilities exist for\n                                                                                                          noted.\n                          leave-year-end and calendar year-end      fiscal year-end, leave-year-end and\n                          processing and forfeitures in             calendar year-end processing and      DFAS-Charleston\n                          accordance with established               forfeitures in accordance with\n                                                                                                          No relevant exception\n                          Government-wide and agency                established Government-wide and\n                                                                                                          noted.\n                          guidelines.                               agency guidelines. Obtained and\n                                                                    inspected Payroll Quality Review      DFAS-Denver\n                                                                    (PQR) reports to confirm checklists\n                                                                                                          No relevant exception\n                                                                    are followed and payroll steps have\n                                                                                                          noted.\n                                                                    been performed.\n                                                                                                          DFAS-Indianapolis\n                                                                                                          We could not conduct\n                                                                                                          testing for this control\n                                                                                                          activity. DFAS\n                                                                                                          Indianapolis has not\n                                                                                                          performed year-end\n                                                                                                          processing; therefore, no\n                                                                                                          procedures were available\n                                                                                                          for the audit period.\n\n                                                                                                          Since this control activity\n                                                                                                          had not been performed at\n                                                                                                          this location during our\n                                                                                                          period of testing, we can\n\n\n\n\n                                                           76\n\n\x0cNo.   Control Objective             Control Activities                         Tests Performed                    Results of Testing\n\n\n                                                                                                              not conclude on the\n                                                                                                              effectiveness of this\n                                                                                                              control.\n\n\n                          7.25 \xe2\x80\x93 Payroll withholding table data      Inspected payroll withholding table      DFAS-Pensacola\n                          is periodically reviewed by                data updates to confirm they are\n                                                                                                              No relevant exception\n                          supervisory personnel for compliance       periodically updated by supervisory\n                                                                                                              noted.\n                          with statutory requirements.               personnel for compliance with\n                                                                     statutory requirements.\n\n\n\n                          7.26 \xe2\x80\x93 The data processing control         Inquired with appropriate personnel      DFAS-Pensacola\n                          group has a schedule by application        and inspected the schedules used by\n                                                                                                              No relevant exception\n                          that shows when outputs should be          the data processing group, to confirm\n                                                                                                              noted.\n                          completed, when they need to be            they:\n                          distributed, who the recipients are, and\n                                                                     \xe2\x80\xa2   have a schedule by application\n                          the copies needed; reviews output\n                                                                         that shows when outputs need to\n                          products for general acceptability; and\n                                                                         be completed, when they need to\n                          reconciles control information to\n                                                                         be distributed, who the recipients\n                          determine completeness of processing.\n                                                                         are, and the copies needed;\n                                                                     \xe2\x80\xa2   review output products for\n                                                                         general acceptability; and\n                                                                         reconcile control information to\n                                                                         determine completeness of\n                                                                         processing.\n\n\n\n\n                                                          77\n\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                    Results of Testing\n\n\n                          7.27 \xe2\x80\x93 Policies and procedures are        Inquired with appropriate personnel      DFAS-Pensacola\n                          documented to describe that current-      and read policies and procedures to\n                                                                                                             No relevant exception\n                          or prior-period adjustments to            confirm that current- or prior-period\n                                                                                                             noted.\n                          employee\xe2\x80\x99s pay, including employee        adjustments to employee\xe2\x80\x99s pay,\n                          debt, tax deduction, or deductions not    including employee debt, tax             DFAS-Charleston\n                          taken, are reported, reconciled and       deduction, or deductions not taken,\n                                                                                                             No relevant exception\n                          approved.                                 are reported, reconciled and approved.\n                                                                                                             noted.\n\n\n\n\n                                                                                                             DFAS-Denver\n                                                                                                             No relevant exception\n                                                                                                             noted.\n                                                                                                             DFAS-Indianapolis\n                                                                                                             No relevant exception\n                                                                                                             noted.\n\n\n                          7.28 \xe2\x80\x93 Policies and procedures are        Inquired with appropriate personnel      DFAS-Pensacola\n                          documented to describe that               and read policies and procedures to\n                                                                                                             The DCPS SYSOUT SOP\n                          transactions from interfacing systems     confirm that transactions from\n                                                                                                             is one page in length and\n                          are subjected to the payroll system       interfacing systems are subjected to\n                                                                                                             does not describe all\n                          edits, validations and error-correction   the payroll system edits, validations\n                                                                                                             activities performed for\n                          procedures.                               and error-correction procedures.\n                                                                                                             investigating and\n                                                                    Obtained and inspected a sample of       correcting erroneous data.\n                                                                    45 HHS transactions input to DCPS to     The DCPS SYSOUT is an\n                                                                    confirm transactions from interfacing    online report that contains\n                                                                    systems are subjected to the payroll     mainframe processing\n                                                                    system edits, validations, and error-    results, including run-to-\n                                                                    correction procedures. Additionally,\n                                                                    inspected associated reports (i.e.,\n\n\n                                                           78\n\n\x0cNo.   Control Objective             Control Activities                        Tests Performed                    Results of Testing\n\n\n                                                                    MyPay Invalid Reports and MER            run balancing and system\n                                                                    Add/Change/Delete Reports) to            error messages, if\n                                                                    confirm they are reviewed by             applicable.\n                                                                    appropriate personnel, and any\n                                                                                                             DFAS management\n                                                                    exceptions identified are investigated\n                                                                                                             indicated the testing\n                                                                    and resolved.\n                                                                                                             exception was caused by\n                                                                                                             an administrative error and\n                                                                                                             the exception was not\n                                                                                                             significant enough to\n                                                                                                             prevent the control activity\n                                                                                                             from meeting its related\n                                                                                                             control objective.\n                                                                                                             DFAS-Charleston\n                                                                                                             No relevant exception\n                                                                                                             noted.\n                                                                                                             DFAS-Denver\n                                                                                                             No relevant exception\n                                                                                                             noted.\n                                                                                                             DFAS-Indianapolis\n                                                                                                             No relevant exception\n                                                                                                             noted.\n\n                          7.29 \xe2\x80\x93 The system provides an audit       Inquired with appropriate personnel      DFAS-Pensacola\n                          trail of all transactions processed,      and inspected audit trails of\n                                                                                                             No relevant exception\n                          transaction errors, error descriptions,   transactions to confirm that erroneous\n                                                                                                             noted.\n                          and error correction procedures.          transactions are reviewed by\n                          Audit trails are reviewed by              supervisory personnel, captured,\n                          supervisory personnel and erroneous       reported, investigated, and corrected.\n                          data are captured, reported,\n                          investigated, and corrected.\n\n\n\n                                                           79\n\n\x0c    No.         Control Objective                 Control Activities                       Tests Performed                   Results of Testing\n\n\n8         Controls provide reasonable   8.1 - Policies and procedures are        Inquired with appropriate personnel      DFAS-Pensacola\n          assurance that data from      documented to describe that data         and read policies and procedures to\n                                                                                                                          No relevant exception\n          interfacing systems are       transmissions between DCPS and user      confirm that data transmissions\n                                                                                                                          noted\n          transferred timely and        organizations are authorized,            between DCPS and user organizations\n          accurately.                   complete, accurate and secure.           are authorized, complete, accurate and\n                                                                                 secure.\n\n                                        8.2 - For interfacing systems, record    Inquired with appropriate personnel      DFAS-Pensacola\n                                        counts are accumulated and compared      and inspected interface files to\n                                                                                                                          No relevant exception\n                                        to footer control totals to help         confirm that record counts match\n                                                                                                                          noted\n                                        determine the completeness of            control totals in the footer to\n                                        interface processing. Out-of-balance     determine completeness of interface\n                                        conditions are reported, corrected and   processing and that out-of-balance\n                                        reentered.                               conditions are reported, corrected and\n                                                                                 reentered.\n\n\n                                        8.3 - Batch transactions without pre-    Observed batch process monitoring to     DFAS-Pensacola\n                                        assigned serial numbers are              confirm transactions without pre-\n                                                                                                                          No relevant exception\n                                        automatically assigned a unique          assigned serial numbers are\n                                                                                                                          noted\n                                        sequence number, which is used by        automatically assigned a unique\n                                        the computer to monitor that all         sequence number.\n                                        transactions are processed.\n\n\n\n\n                                                                        80\n\n\x0cGeneral Computer Control Objectives, Control Activities, Tests Performed, and Results of Testing\n\n\n   No.         Control Objectives                 Control Activities                         Tests Performed                    Results of Testing\n\n    1      Security Programs Effectiveness Monitoring\n\n           Controls provide reasonable   1.1.1 DISA DECC Mechanicsburg &         DISA DECC Mechanicsburg & DFAS               No relevant exception\n   1.1\n           assurance that the security   DFAS Saufley Field                      Saufley Field                                noted.\n           program effectiveness is\n                                         DoD and DFAS policy both direct         Interviewed the Security Officer to obtain\n           monitored and changes are\n                                         annual Information Assurance (IA)       an understanding of how management\n           made as needed.\n                                         review.                                 assessed the appropriateness of the\n                                                                                 security policies and compliance with\n                                                                                 them.\n\n\n           Management monitors           1.2.1 DISA DECC Mechanicsburg           DISA DECC Mechanicsburg                      No relevant exception\n   1.2\n           compliance with policies                                                                                           noted.\n                                         The Director\xe2\x80\x99s Policy Letters (DPLs)    Inspected the DCPS Security\n           and procedures.\n                                         and Standard Operating Procedures       Requirements and Information Systems\n                                         (SOP) are reviewed and updated.         Security Policy Certification Test and\n                                         Security Readiness Review (SRR) is      Evaluation Procedures to confirm that an\n                                         conducted at least every 3 years.       annual IA review was conducted and that\n                                                                                 comprehensive vulnerability management\n                                                                                 was in place.\n\n\n           Corrective actions are        1.3.1 DISA DECC Mechanicsburg           DISA DECC Mechanicsburg                      No relevant exception\n   1.3\n           effectively implemented.                                                                                           noted\n                                         The Vulnerability Management            Observed the SRR process to confirm that\n                                         System (VMS) 6.0 is used to track       corrective actions are effectively\n                                         the status of outstanding Information   implemented for identified SRR findings.\n                                         Assurance Vulnerability Alerts\n                                                                                 Selected a sample of SRRs and inspected\n                                         (IAVAs) and the status of STIG\n                                                                                 the VMS reports to confirm findings\n                                         findings from the Security Readiness\n                                                                                 identified by the SRR process have been\n                                         Review (SRR) process. DECC\n                                                                                 addressed.\n                                         Mechanicsburg management is\n                                         responsible for tracking and closing\n\n                                                                          81\n\n\x0cNo.   Control Objectives            Control Activities                       Tests Performed                Results of Testing\n                           all IAVA\xe2\x80\x99s and STIG findings that\n                                                                 Requested prior audit reports or reviews\n                           resulted from the SRR process.\n                                                                 and confirmed remediation had occurred\n                                                                 for the findings and recommendations\n                           1.3.2 DFAS Saufley Field              presented within.\n                           Remediation plans detail corrective\n                           actions in response to findings\n                                                                 DFAS Saufley Field\n                           identified in audits of DCPS or\n                           DFAS. Management has approved         Requested prior audit reports or reviews\n                           the remediation plan and monitors     and confirmed remediation has occurred\n                           progress of the plan.                 for the findings and recommendations\n                                                                 presented within the reports. Requested\n                                                                 remediation plans intended to address\n                                                                 previous findings to confirm remediation\n                                                                 had been initiated.\n\n\n\n\n                                                           82\n\n\x0cNo.      Control Objectives             Control Activities                       Tests Performed                   Results of Testing\n\n2     Risk Assessment\n\n      Risk assessments are      2.1.1 DISA DECC Mechanicsburg &      DISA DECC Mechanicsburg                     No relevant exception\n2.1\n      performed according to    DFAS Saufley Field                                                               noted.\n                                                                     Inquired with the Information System\n      current Federal and DoD\n                                DoD and DFAS policy both direct an   Security Officer (ISSO) and related\n      requirements.\n                                annual IA review.                    security personnel and inquired how often\n                                                                     the risk assessment process occurs.\n                                                                     Observed the SRR process and confirmed\n                                                                     how often it occurs and that deficiencies\n                                                                     and corrective actions are tracked.\n                                                                     Selected a sample of SRRs performed to\n                                                                     inspect the Vulnerability Management\n                                                                     System (VMS) reports to confirm\n                                                                     findings identified by the SRR process\n                                                                     have been addressed.\n\n\n                                                                     DFAS Saufley Field\n                                                                     Inquired with the ISSO and related\n                                                                     security personnel and inquired how often\n                                                                     the risk assessment process occurs.\n                                                                     Inspected the lasted Risk Assessment,\n                                                                     which should be included with the\n                                                                     System Security Authorization\n                                                                     Agreement (SSAA) to confirm that risks\n                                                                     are periodically assessed.\n\n\n\n\n                                                              83\n\n\x0cNo.      Control Objectives               Control Activities                       Tests Performed                   Results of Testing\n\n3     Site Security Plans\n\n      Site security plans are     3.1.1 DFAS Saufley Field              DFAS Saufley Field                         No relevant exception\n3.1                                                                                                                noted.\n      documented, approved, and\n                                  DoD and DFAS policy both direct       Inspected the DCPS SSAA to confirm it\n      are current.\n                                  annual IA review. Review              has been documented, kept current and\n                                  appropriate generated documentation   appropriately approved by management.\n                                  to ensure that these processes are\n                                                                        Inspected DCPS Systems Security Policy,\n                                  accomplished.\n                                                                        Security Requirements, and Certification\n                                                                        Test and Evaluation Plan and Procedures\n                                                                        to confirm that each has been updated.\n\n\n\n\n                                                                 84\n\n\x0cNo.       Control Objectives                 Control Activities                       Tests Performed                    Results of Testing\n\n4     Security Management Structure\n\n      A security management          4.1.1 DFAS Saufley Field             DFAS Saufley Field                           No relevant exception\n4.1\n      structure has been                                                                                               noted.\n                                     The DCPS SSAA describes the IA       Confirmed through inquiry that a\n      established with DCPS.\n                                     operations of the DoD information    management structure had been\n                                     system and clearly delineates IA     established.\n                                     responsibilities and expected\n                                                                          Obtained and inspected security\n                                     behavior of all personnel.\n                                                                          management organization chart.\n                                                                          Requested one position description for\n                                                                          each function listed on the organization\n                                                                          chart to confirm that positions were\n                                                                          established in writing.\n                                                                          Inspected the SSAA for the security\n                                                                          management structure. Confirmed each\n                                                                          position function is outlined in the SSAA.\n\n\n      Information security           4.2.1 DISA DECC Mechanicsburg &      DISA DECC Mechanicsburg                      No relevant exception\n4.2\n      responsibilities are clearly   DFAS Saufley Field                                                                noted.\n                                                                          Inspected signed rules of behavior\n      assigned.\n                                     The DISA SMC-ME SSAA and the         statements for the DISA personnel with\n                                     DCPS SSAA both describe the IA       access to DCPS and the underlying\n                                     operations of the DoD information    operating system.\n                                     system and clearly delineate IA\n                                     responsibilities and expected\n                                     behavior of all personnel.           DFAS Saufley Field\n                                                                          Inspected the SSAA for the security\n                                                                          management responsibilities. Confirmed\n                                                                          that each position is outlined in the SSAA\n                                                                          is filled by personnel and the personnel\n                                                                          understand their duties.\n\n\n\n\n                                                                    85\n\n\x0cNo.   Control Objectives   Control Activities                    Tests Performed               Results of Testing\n\n                                                      Inspected signed rules of behavior\n                                                      statements for the DFAS personnel with\n                                                      access to DCPS.\n\n\n\n\n                                                86\n\n\x0cNo.       Control Objectives                   Control Activities                           Tests Performed                    Results of Testing\n                                      4.3.2 DFAS Saufley Field\n      Employees are aware of                                                   DFAS Saufley Field                            No relevant exception\n4.3                                   Ongoing security awareness\n      security policies.                                                                                                     noted.\n                                      programs that include initial training   Inspected the Security Awareness\n                                      and periodic refresher training.         Training materials.\n                                                                               Obtained a list of employees who have\n                                                                               access to DCPS. Selected a sample of\n                                                                               employees who have DCPS access and\n                                                                               inspected their training files to confirm\n                                                                               the completion of the necessary security\n                                                                               training and a signoff.\n                                                                               Obtained evidence that management has\n                                                                               active security awareness programs in\n                                                                               place (i.e. electronic mail files, or other\n                                                                               policy distribution mechanisms) that\n                                                                               proactively emphasize the security\n                                                                               policies to data owners and users.\n\n\n      A comprehensive                 4.4.1 DISA DECC Mechanicsburg            DISA DECC Mechanicsburg                       No relevant exception\n4.4\n      vulnerability management                                                                                               noted.\n                                      Vulnerabilities are tracked in the       Obtained the VMS reports for the audit\n      process that includes the\n                                      Vulnerability Management System          period for DCPS and confirmed\n      systematic identification and\n                                      (VMS) database. Prior to connection      vulnerabilities are being tracked and\n      mitigation of software and\n                                      to the network, the SA must run a        resolved in a timely manner.\n      hardware vulnerabilities is\n                                      VS08 report detailing Information\n      in place.\n                                      Assurance Vulnerability\n                                      Management (IAVM) notices for the\n                                      asset\xe2\x80\x99s operating system. All IAVM\n                                      notices must be mitigated and\n                                      applicable patches loaded prior to\n                                      connecting the asset to the network.\n                                      Once all checklists have been applied\n                                      from the Security Technical\n                                      Information Guide (STIG) and the\n                                      patches from the vulnerability alerts\n                                      have been installed, a self assessment\n\n                                                                        87\n\n\x0cNo.   Control Objectives            Control Activities              Tests Performed   Results of Testing\n                           and a Retina network scan will be\n                           conducted. Security assessments that\n                           require a scan will use the Retina\n                           scanner and the FSO Full Scan\n                           Policy. The scan will be conducted\n                           using a direct connection from the\n                           system running the scanner to the\n                           system being assessed or the site is\n                           authorized to connect the asset to an\n                           isolated network during the Retina\n                           scan. Each site will place their self-\n                           assessment in the VMS Database. If\n                           the systems have a database, web\n                           server, or any other software that has\n                           a STIG, they must place those self\n                           assessments in VMS as well. The\n                           network scan must be run with all\n                           database instances and all web\n                           servers running.\n\n\n\n\n                                                            88\n\n\x0cNo.       Control Objectives                   Control Activities                           Tests Performed                      Results of Testing\n\n5     Personnel Policies\n\n                                                                                                                               DFAS Saufley Field\n      Employee (Government or         DFAS Saufley Field                        DFAS Saufley Field\n5.1\n      contractor) background          The DCPS SSAA requires system\n                                                                                Requested, obtained, and inspected the         For 2 of the 45 sampled\n      investigations, hiring,         users to be subjected to various levels\n                                                                                policies and procedures for gaining access     DCPS users from\n      transferring, and termination   of Personnel Security Investigations\n                                                                                to sensitive information.                      DFAS TSO PE, the\n      policies address security and   (PSI\xe2\x80\x99s) based on the level of access\n                                                                                                                               Justification for Access\n      are in compliance with DoD      or privileges they have within the        Obtained a listing of all personnel\n                                                                                                                               (block 13) on the\n      Instruction 8500.02.            systems. The higher the level of          associated with DCPS. Selected a sample\n                                                                                                                               DD2875 Access\n                                      access, the more stringent the            of DCPS users and obtained the SAAR\n                                                                                                                               Request Form was not\n                                      required investigation becomes. As a      Form 2875 for each. Confirmed that each\n                                                                                                                               complete.\n                                      minimum, all DFAS DCPS                    SAAR Form 2875 details the user\xe2\x80\x99s\n                                      personnel/employees (military,            justification for access, security clearance\n                                                                                                                               For 4 of the 45 sampled\n                                      civilian or contractors) will have a      level, and the proper approvals.\n                                                                                                                               DCPS users from\n                                      favorably completed NAC.\n                                                                                                                               DFAS TSO PE, the\n                                                                                                                               Justification for Access\n                                                                                                                               (block 13) on the\n                                                                                                                               DD2875 Access\n                                                                                                                               Request Form was not\n                                                                                                                               specific to job duties.\n\n                                                                                                                               DFAS management\n                                                                                                                               indicated the testing\n                                                                                                                               exception was caused\n                                                                                                                               by an administrative\n                                                                                                                               error and the exception\n                                                                                                                               was not significant\n                                                                                                                               enough to prevent the\n                                                                                                                               control activity from\n                                                                                                                               meeting its related\n                                                                                                                               control objective.\n\n\n\n\n                                                                        89\n\n\x0cNo.       Control Objectives                  Control Activities                        Tests Performed                 Results of Testing\n\n      Job descriptions for           5.2.1 DISA DECC Mechanicsburg          DISA DECC Mechanicsburg                   No relevant exception\n5.2\n      Government employees           and DFAS Saufley Field                                                           noted.\n                                                                            Inspected the job descriptions for the\n      have been documented, and\n                                     Developed position descriptions for    applicable types of personnel.\n      employees understand their\n                                     distinct system support positions.\n      duties and responsibilities.\n                                                                            DFAS Saufley Field\n                                                                            Inspected the job descriptions for the\n                                                                            applicable types of personnel listed in\n                                                                            control objective # 5.1.\n\n\n                                     5.2.2 DISA DECC Mechanicsburg          DISA DECC Mechanicsburg                   No relevant exception\n                                     and DFAS Saufley Field                                                           noted.\n                                                                            Selected a sample of employees and\n                                     Position descriptions are available    confirmed through inquiry that they\n                                     and Performance Plans are provided     understood their duties and\n                                     to assist employees in understanding   responsibilities.\n                                     their roles and responsibilities\n                                                                            Observed documentation to confirm that\n                                     according to their assigned duties.\n                                                                            employees have signed position\n                                                                            descriptions.\n\n\n                                                                            DFAS Saufley Field\n                                                                            Selected a sample of employees and\n                                                                            confirmed through inquiry that they\n                                                                            understood their duties and\n                                                                            responsibilities.\n                                                                            Observed documentation to confirm that\n                                                                            employees have signed their performance\n                                                                            plans.\n\n\n\n\n                                                                     90\n\n\x0cNo.      Control Objectives                Control Activities                          Tests Performed                      Results of Testing\n                                  5.2.3 DFAS Saufley Field                 DFAS Saufley Field                             No relevant exception\n                                  All DFAS personnel are required to       Inspected the hiring, transfer, termination    noted.\n                                  complete initial and periodic IA         and performance policies to confirm they\n                                  training. This training helps the        are documented and address security.\n                                  employee understand the importance\n                                                                           Confirmed though inquiry that debriefs\n                                  of their roles and responsibilities.\n                                                                           are conducted when employees are\n                                                                           terminated and that a HR Checklist is\n                                                                           used to note the collection of DFAS\n                                                                           property.\n                                                                           Confirmed through observation that an\n                                                                           email is sent to the System Administrator\n                                                                           to request that system access be removed\n                                                                           for a terminated employee.\n      Employee (Government or     5.3.1 DISA Mechanicsburg & DFAS          DISA DECC Mechanicsburg                        DISA DECC\n5.3   contractor) is adequately   Saufley Field                            Confirmed through inquiry that a training      Mechanicsburg\n      trained and possess the     A program is implemented to ensure       program has been established.\n      required skills.            that upon arrival and periodically       Requested documentation to confirm the         For 2 of the 22 DISA\n                                  thereafter, all personnel receive        existence of this training program.            DECC Mechanicsburg\n                                  training and familiarization to          (examples can include: individual              employees selected in\n                                  perform their assigned IA                training plans, job specific training plans,   the sample, the\n                                  responsibilities, to include             policy for requirements of training)           employee\xe2\x80\x99s Individual\n                                  familiarization with their prescribed    If training is conducted in-house,             Development Plans do\n                                  roles in all IA- related plans such as   inspected the training materials to            not have job related\n                                  incident response, configuration         confirm that they provided personnel with      training scheduled.\n                                  management and COOP or disaster          adequate training and expertise.               Specifically, only 1\n                                  recovery.                                Selected a sample of employees who have        training session had\n                                                                           access to DCPS and inspected their             been scheduled and it\n                                                                           training records to confirm specific job       was unrelated to the\n                                                                           function training is occurring                 employee\xe2\x80\x99s job\n                                                                                                                          function.\n\n                                                                           DFAS Saufley Field                             For 1 of the 22 DISA\n                                                                                                                          DECC Mechanicsburg\n                                                                           Confirmed through inquiry that a training\n                                                                                                                          employees selected in\n                                                                           program has been established\n                                                                                                                          the sample, the\n\n\n                                                                   91\n\n\x0cNo.   Control Objectives   Control Activities                      Tests Performed                     Results of Testing\n                                                                                                     employee\xe2\x80\x99s Individual\n                                                      Requested documentation to confirm the\n                                                                                                     Development Plan does\n                                                      existence of this training program.\n                                                                                                     not have any training\n                                                      (examples can include: individual\n                                                                                                     scheduled.\n                                                      training plans, job specific training plans,\n                                                      policy for requirements of training)\n                                                                                                     DISA management\n                                                      If training is conducted in-house,             indicated the testing\n                                                      inspected the training materials to            exception was caused\n                                                      confirm that they provided personnel with      by an administrative\n                                                      adequate training and expertise and that       error and the exception\n                                                      they are up to date.                           was not significant\n                                                                                                     enough to prevent the\n                                                      Selected a sample of employees who have\n                                                                                                     control activity from\n                                                      access to DCPS and inspected their\n                                                                                                     meeting its related\n                                                      training records to confirm specific job\n                                                                                                     control objective.\n                                                      function training is occurring.\n                                                                                                     DFAS Saufley Field\n\n                                                                                                     No relevant exception\n                                                                                                     noted.\n\n\n\n\n                                                92\n\n\x0cNo.       Control Objectives                  Control Activities                         Tests Performed                    Results of Testing\n\n6     Information Resources Classification\n\n      Resource classifications and   6.1.1 DISA DECC Mechanicsburg           DISA DECC Mechanicsburg                      No relevant exception\n6.1\n      related criteria have been                                                                                          noted.\n                                     DFAS Management has classified          Inquired with management as to the\n      established.\n                                     DCPS according to appropriate           process for identifying and prioritizing\n                                     Mission Assurance Category (MAC)        critical data and operations.\n                                     level standards and is identified\n                                                                             Obtained documentation that supports\n                                     within the Service Level Agreement\n                                                                             this process and confirmed that it is\n                                     (SLA) between DISA and DFAS.\n                                                                             current and was approved by\n                                                                             management.\n                                     DFAS Saufley Field\n                                     DFAS Management has classified          DFAS Saufley Field\n                                     DCPS according to appropriate MAC\n                                                                             Inquired with management as to the\n                                     level standards and is identified\n                                                                             process for identifying and prioritizing\n                                     within the SLA between DISA and\n                                                                             critical data and operations.\n                                     DFAS.\n                                                                             Obtained documentation that supports\n                                                                             this process and confirmed that it is\n                                                                             current and was approved by\n                                                                             management.\n\n\n                                     6.1.2 DISA DECC Mechanicsburg           DISA DECC Mechanicsburg                      No relevant exception\n                                                                                                                          noted.\n                                     DFAS Management has identified          Corroborated with key personnel that\n                                     DCPS resources supporting critical      identification of resources supporting\n                                     operations based on the nature and      critical operations is based on the nature\n                                     impact of the disaster. The resources   and impact of the disaster.\n                                     are included in the DISA SMC ME\n                                                                             Obtained and inspected the business\n                                     Business Continuity Plan as\n                                                                             continuity plan and confirmed that\n                                     prescribed in the Service Level\n                                                                             supporting critical operations are\n                                     Agreement between DISA and\n                                                                             identified, emergency priorities are\n                                     DFAS.\n                                                                             established, and they were approved by\n\n                                                                     93\n\n\x0cNo.       Control Objectives                  Control Activities                         Tests Performed                    Results of Testing\n                                                                             management.\n\n                                     DFAS Saufley Field\n                                                                             DFAS Saufley Field\n                                     DFAS management has identified\n                                     DCPS resources supporting critical      Corroborated with key personnel that\n                                     operations based on the nature and      identification of resources supporting\n                                     impact of the disaster. The resources   critical operations is based on the nature\n                                     are included in the DISA SMC ME         and impact of the disaster.\n                                     Business Continuity Plan as\n                                                                             Obtained and inspected the business\n                                     prescribed in the SLA between DISA\n                                                                             continuity plan and confirmed that\n                                     and DFAS.\n                                                                             supporting critical operations are\n                                                                             identified, emergency priorities are\n                                                                             established, and they were approved by\n                                                                             management.\n\n\n\n                                                                                                                          DFAS Saufley Field\n      DFAS has classified all        6.2.1 DFAS Saufley Field                DFAS Saufley Field\n6.2   DFAS-owned assets\n                                     Management has classified DCPS          Inspected the DCPS SSAA and confirmed        DFAS does not have\n      according to criticality and\n                                     according to appropriate MAC level      that a MAC level had been assigned to        MOAs in place for 4 of\n      sensitivity.\n                                     standards.                              DCPS.                                        the 81 DCPS interfaces.\n                                                                             Inquired with data owners and confirmed\n                                                                             that a MAC level has been assigned to\n                                                                             DCPS.\n\n\n                                                                             Inspected the DCPS Service Level\n                                                                             Agreement (SLA) between DFAS and\n                                                                             DISA to determine the classification of\n                                                                             DCPS communicated to DISA.\n\n\n\n\n                                                                     94\n\n\x0cNo.       Control Objectives                  Control Activities                         Tests Performed                  Results of Testing\n                                                                                                                        DFAS Saufley Field\n      Data management and the        6.3.1 DFAS Saufley Field                DFAS Saufley Field\n6.3   disposition and sharing of\n                                     Documented policies and procedures      Inspected documents authorizing file       DFAS does not have\n      data requirements are\n                                     are in the DCPS SSAA that governs       sharing and file sharing agreements and    MOAs in place for 4 of\n      identified in the SLAs.\n                                     the sharing of data.                    confirmed the owners approve the sharing   the 81 DCPS interfaces.\n                                                                             of data. In many cases these documents\n                                                                             are called a Memorandum of\n                                                                             Understanding (MOU) or SLA.\n                                                                             Inspected the DCPS SSAA and confirmed\n                                                                             that a MAC level had been assigned to\n                                                                             DCPS.\n                                                                             Inquired with data owners and confirmed\n                                                                             that a MAC level has been assigned to\n                                                                             DCPS.\n                                                                             Inquired with data owners and confirmed\n                                                                             that an MOU has been developed and is\n                                                                             in place for each DCPS interface.\n\n\n                                                                                                                        DFAS Saufley Field\n      DCPS has logical controls      6.4.1 DFAS Saufley Field                DFAS Saufley Field\n6.4\n      over data files and software                                           Requested a complete DCPS user list.\n                                     The System Access Authorization                                                    DCPS does not use\n      programs.                                                              Selected a sample of users from the list\n                                     Request (SAAR) DD-2875 form is                                                     complex password\n                                                                             and inspected their user access request\n                                     used to identify authorized users and                                              configuration. In\n                                                                             forms for existence and management\n                                     control their access.                                                              addition, DCPS does\n                                                                             approval.\n                                                                                                                        not require at least four\n                                                                             Observed the application to confirm that   characters be changed\n                                                                             users must possess a valid User ID and     when a new password is\n                                                                             Password to gain access to the system.     created.\n                                                                             Interviewed owners and observed\n                                                                                                                        Two of the 20\n                                                                             supporting documentation to confirm that\n                                                                                                                        terminated DFAS\n                                                                             inappropriate access is removed in a\n                                                                                                                        Saufley Field\n                                                                             timely manner.\n                                                                                                                        employees and\n                                                                             Interviewed security managers and          contractors were not\n\n\n                                                                      95\n\n\x0cNo.   Control Objectives            Control Activities                       Tests Performed                    Results of Testing\n                                                                 confirmed that supporting documentation      removed from DCPS\n                                                                 was provided to them.                        within 24 hours of the\n                                                                                                              user deactivation\n                                                                 Obtained a representative sample of\n                                                                                                              request sent in the\n                                                                 profile changes and activity logs and\n                                                                                                              personnel action email\n                                                                 confirmed that management reviewed the\n                                                                                                              by Human Resources.\n                                                                 changes and logs.\n                                                                 Obtained a list of recently terminated\n                                                                 employees from personnel. Selected a\n                                                                 representative sample of terminated\n                                                                 employees and confirmed that system\n                                                                 access was promptly terminated.\n\n\n                           6.4.2 DISA DECC Mechanicsburg         DISA DECC Mechanicsburg\n                                                                                                              No relevant exception\n                           The DISA System Support Office\n                                                                 Confirmed through inquiry and inspection     noted.\n                           (SSO), a unit independent of SMC\n                                                                 of the root access users for the DCPS\n                           operations, is responsible for\n                                                                 servers, that the access restrictions have\n                           maintaining the system libraries\n                                                                 been established around the data files and\n                           however SMC Operations performs\n                                                                 software programs.\n                           the library installation. Access to\n                           system libraries is restricted to     Inspected the access logs and\n                           authorized individuals including      corroborated with management that the\n                           system programmers at SSO and         access logs are reviewed for inappropriate\n                           SMC-ME.                               access and that system libraries were\n                                                                 managed and maintained to protect\n                                                                 privileged programs.\n\n\n\n\n                                                           96\n\n\x0cNo.       Control Objectives                  Control Activities                         Tests Performed                    Results of Testing\n\n7     User Account Management\n\n                                                                                                                          DISA DECC\n      Authorized owners and their    7.1.1 DISA DECC Mechanicsburg &         DISA DECC Mechanicsburg\n7.1                                                                                                                       Mechanicsburg\n      access rights are identified   DFAS Saufley Field\n                                                                             Inspected the policies and procedures for\n      for DISA/DFAS-owned\n                                     User accounts are suspended after 30    restricting access to the systems software   For 1 of the 45 sampled\n      assets\n                                     days of no activity, (60 days for TSO   to confirm that they were up-to-date.        DCPS users from DISA\n      Access authorizations are      and Payroll offices) and removed                                                     DECC Mechanicsburg,\n                                                                             Obtained a list from the Discretionary\n      appropriately limited.         after 90 days. Accounts are                                                          the Justification for\n                                                                             Access Control (DAC) of individuals who\n                                     approved by IA Officers.                                                             Access (block 13) on\n                                                                             had direct access to the system software\n                                                                                                                          the DD2875 Access\n                                                                             and selected a sample of users with direct\n                                                                                                                          Request Form was not\n                                                                             access.\n                                                                                                                          complete.\n                                                                             For each user selected, confirmed with\n                                                                             key management personnel that these          For 3 of the 45 sampled\n                                                                             users were authorized to have this access.   DCPS users from DISA\n                                                                                                                          DECC Mechanicsburg,\n                                                                             Inquired with key management that\n                                                                                                                          the Justification for\n                                                                             suspension and termination of access is\n                                                                                                                          Access (block 13) on\n                                                                             performed according to the policies and\n                                                                                                                          the DD2875 Access\n                                                                             procedures.\n                                                                                                                          Request Form was not\n                                                                             Interviewed owners and observed              specific to job duties.\n                                                                             supporting documentation to confirm that\n                                                                             inappropriate access is removed in a         DFAS management\n                                                                             timely manner.                               indicated the testing\n                                                                                                                          exception was caused\n                                                                             Obtained a list of recently terminated\n                                                                                                                          by an administrative\n                                                                             employees from personnel. Selected a\n                                                                                                                          error and the exception\n                                                                             representative sample of terminated\n                                                                                                                          was not significant\n                                                                             employees and confirmed that system\n                                                                                                                          enough to prevent the\n                                                                             access was promptly terminated.\n                                                                                                                          control activity from\n                                                                                                                          meeting its related\n                                                                                                                          control objective.\n                                                                             DFAS Saufley Field\n                                                                             Inspected the policies and procedures for\n\n\n                                                                     97\n\n\x0cNo.   Control Objectives   Control Activities                     Tests Performed                    Results of Testing\n                                                      restricting access to the DCPS application   DFAS Saufley Field\n                                                      software to confirm that they were up-to-\n                                                      date.                                        For 2 of the 45 sampled\n                                                                                                   DCPS users from\n                                                      Obtained a list from the DAC of\n                                                                                                   DFAS Saufley Field,\n                                                      individuals who had direct access to the\n                                                                                                   the Justification for\n                                                      DCPS application software and selected a\n                                                                                                   Access (block 13) on\n                                                      sample of users with direct access. For\n                                                                                                   the DD2875 Access\n                                                      each user selected, confirmed with key\n                                                                                                   Request Form was not\n                                                      management personnel that these users\n                                                                                                   complete.\n                                                      were authorized to have this access.\n                                                      Inquired with key management that            For 4 of the 45 sampled\n                                                      suspension and termination of access is      DCPS users from\n                                                      performed according to the policies and      DFAS Saufley Field,\n                                                      procedures.                                  the Justification for\n                                                                                                   Access (block 13) on\n                                                      Interviewed owners and observed\n                                                                                                   the DD2875 Access\n                                                      supporting documentation to confirm that\n                                                                                                   Request Form was not\n                                                      inappropriate access is removed in a\n                                                                                                   specific to job duties.\n                                                      timely manner.\n                                                      Obtained a list of recently terminated       One of the 45 sampled\n                                                      employees from personnel. Selected a         DCPS users from\n                                                      representative sample of terminated          DFAS Saufley Field did\n                                                      employees and confirmed that system          not check the box\n                                                      access was promptly terminated.              indicating they received\n                                                                                                   IA Training and\n                                                                                                   Awareness Certification\n                                                                                                   on the DD2875 Access\n                                                                                                   Request Form.\n\n                                                                                                   Two of the 20\n                                                                                                   terminated DFAS\n                                                                                                   Saufley Field\n                                                                                                   employees and\n                                                                                                   contractors appear to\n                                                                                                   not have been removed\n\n\n                                                98\n\n\x0cNo.       Control Objectives                   Control Activities                          Tests Performed                    Results of Testing\n                                                                                                                            from DCPS within 24\n                                                                                                                            hours of the user\n                                                                                                                            deactivation request\n                                                                                                                            sent in the personnel\n                                                                                                                            action email by Human\n                                                                                                                            Resources.\n\n                                                                                                                            DFAS management\n                                                                                                                            indicated the testing\n                                                                                                                            exception was caused\n                                                                                                                            by an administrative\n                                                                                                                            error and the exception\n                                                                                                                            was not significant\n                                                                                                                            enough to prevent the\n                                                                                                                            control activity from\n                                                                                                                            meeting its related\n                                                                                                                            control objective.\n\n\n      IAOs or SAs periodically        7.2.1 DISA DECC Mechanicsburg            DISA DECC Mechanicsburg\n7.2                                                                                                                         No relevant exception\n      review authorization listings\n                                      Access to the system software is         Inquired with key Mechanicsburg              noted.\n      to determine\n                                      administered based on roles.             personnel to confirm how root and or\n      appropriateness.\n                                                                               privileged access is administered.\n      Policies and techniques\n                                                                               Obtained the list of individuals with root\n      have been implemented for\n                                                                               and or privileged access.\n      using and monitoring use of\n      system utilities.                                                        Inquired with Management that root and\n                                                                               privileged access is appropriate and that\n                                                                               the use of these accounts is logged.\n                                                                               Inspected a sample of the audit logs from\n                                                                               the DCPS servers to confirm that key\n                                                                               personnel review the logs on a regular\n                                                                               basis and that any issues noted are\n                                                                               documented and researched.\n\n\n\n\n                                                                         99\n\n\x0cNo.      Control Objectives             Control Activities                     Tests Performed                   Results of Testing\n\n      Emergency and temporary   7.3.1 DISA DECC Mechanicsburg &     DISA DECC Mechanicsburg                    No relevant exception\n7.3\n      access is controlled.     DFAS Saufley Field                                                             noted.\n                                                                    Inspected the emergency and temporary\n                                Emergency and temporary access      access policy.\n                                authorizations are controlled in\n                                                                    Selected a sample of emergency and\n                                accordance with DoD 5200.1-R;\n                                                                    temporary access and\n                                DoD 5200.2-R; DoDD 8500.1; and\n                                DoDI 8500.2. Accounts are               \xe2\x80\xa2   confirmed that the authorization\n                                approved by the IA officers.                was approved and that access\n                                                                            was closed in a timely manner;\n                                                                        \xe2\x80\xa2   confirmed that the emergency\n                                                                            and temporary access list is\n                                                                            periodically reviewed; and\n                                                                        \xe2\x80\xa2   confirmed that temporary access\n                                                                            authorizations were established\n                                                                            for least privileged need-to-\n                                                                            know access.\n\n\n                                                                    DFAS Saufley Field\n                                                                    Inspected the emergency and temporary\n                                                                    access policy.\n                                                                    Selected a sample of emergency and\n                                                                    temporary access and:\n                                                                        \xe2\x80\xa2   confirmed that the authorization\n                                                                            was approved and that access\n                                                                            was closed in a timely manner;\n                                                                        \xe2\x80\xa2   confirmed that the emergency\n                                                                            and temporary access list is\n                                                                            periodically reviewed; and\n\n                                                                        \xe2\x80\xa2   confirmed that temporary access\n                                                                            authorizations were established\n\n                                                             100\n\n\x0cNo.       Control Objectives                 Control Activities                          Tests Performed                     Results of Testing\n                                                                                      for least privileged need-to-\n                                                                                      know access.\n\n\n      Group authenticators for      7.4.1 DFAS Saufley Field                 DFAS Saufley Field                            DFAS Saufley Field\n7.4\n      application or network\n                                    Group authenticators are not used for    Confirmed through inquiry if group            There are no formal\n      access may be used only in\n                                    DCPS or network access. Upon             authenticators for application and            Standard Operating\n      conjunction with an\n                                    initial system login, a user\xe2\x80\x99s actions   network are used. Inquired to understand      Procedures for the\n      individual authenticator\n                                    are tracked based on their unique        the reason behind the usage of group          review of the\n                                    user account.                            authenticators. Inquired if users are         Operations Job Logs.\n                                                                             authenticated individually prior to the use\n                                                                             of a group authenticator. Confirmed\n                                                                             through observation that group\n                                                                             authentication is used by the operations\n                                                                             group; however, mitigation controls are in\n                                                                             place.\n\n\n\n\nNo.       Control Objectives                 Control Activities                          Tests Performed                     Results of Testing\n\n8     Physical Security\n\n                                                                                                                           DFAS Saufley Field\n      Building, administration,     DFAS Saufley Field                       DFAS Saufley Field\n8.2\n      and computer facility\n                                    DFAS facilities at DFAS Saufley          Inquired with facility management as to        No relevant exception\n      physical controls have been\n                                    Field have implemented adequate          the physical security controls in place.      noted\n      implemented.\n                                    physical security controls in            Confirmed through observation that these\n                                    accordance with DODI 8500.2.             controls are in place. Obtained results of\n                                                                             most recent facility penetration testing\n                                    Physical access points are guarded or\n                                                                             and confirmed that management reviewed\n                                    alarmed 24 hours a day.\n                                                                             the results of the test.\n                                    The Random Anti-Terrorism\n                                    Measures (RAM) process is in place\n\n                                                                     101\n\n\x0cNo.       Control Objectives               Control Activities                          Tests Performed                    Results of Testing\n                                 that includes periodic, unannounced\n                                 attempts to penetrate DFAS facilities.\n                                 Only authorized personnel with\n                                 appropriate access approval are\n                                 granted physical access.\n\n\n                                                                                                                        DFAS Saufley Field\n      Visitors are controlled.   8.3.2 DFAS Saufley Field                  DFAS Saufley Field\n8.3\n                                 All visitors must sign in and out on      Inspected the visitor policy and procedure   Visitor log policy at\n                                 the visitor control log located in the    to confirm it is documented.                 DFAS Saufley Field is\n                                 main lobby.                                                                            not consistently\n                                                                           Confirmed through inquiry that all\n                                                                                                                        followed. For 1 day, a\n                                                                           visitors are controlled.\n                                                                                                                        Point of Contact for an\n                                 The DCPS SSAA requires all non-           Confirmed through inquiry and                entry was missing, and\n                                 cleared personnel to be escorted at all   observation that visitor access to DoD       for another day a visitor\n                                 times while inside the building.          information was determined by both its       organization was\n                                                                           classification and user need-to-know.        missing for an entry.\n                                                                           Obtained the visitor check in log for a\n                                                                           sample of normal business days.              DFAS management\n                                                                           Confirmed the log has been completed         indicated the testing\n                                                                           according to the visitor policies and        exception was caused\n                                                                           procedures.                                  by an administrative\n                                                                                                                        error and the exception\n                                                                                                                        was not significant\n                                                                                                                        enough to prevent the\n                                                                                                                        control activity from\n                                                                                                                        meeting its related\n                                                                                                                        control objective.\n\n\n\n\n                                                                   102\n\n\x0cNo.       Control Objectives                Control Activities                          Tests Performed                      Results of Testing\n\n9     Logical Access\n\n                                                                                                                           DISA DECC\n      Access settings have been    9.1.1 DISA DECC Mechanicsburg           DISA DECC Mechanicsburg\n9.1                                                                                                                        Mechanicsburg\n      implemented in accordance\n                                   Access settings have been               Obtained a sample of users with access to\n      with the access\n                                   implemented in accordance with the      DCPS LPAR and obtained the SAAR                 For 1 of the 45 sampled\n      authorizations established\n                                   access authorizations established by    Form DD2875 for the sampled personnel.          DCPS users from DISA\n      by the resource owners.\n                                   signature authority of resource owner   Confirmed that each Form 2875 details           DECC Mechanicsburg,\n                                   on Form DD2875 and in accordance        the user\xe2\x80\x99s justification for access, security   the Justification for\n                                   with DoDD 8500.1; DoDI 8500.2           clearance level, and that each Form 2875        Access (block 13) on\n                                   and STIGs.                              is properly approved.                           the DD2875 Access\n                                                                                                                           Request Form was not\n                                                                                                                           complete.\n                                   9.1.2 DFAS Saufley Field                DFAS Saufley Field\n                                                                                                                           For 3 of the 45 sampled\n                                   The TSO assigns security profiles to    Observed the DCPS system to confirm\n                                                                                                                           DCPS users from DISA\n                                   each userid based on need to know as    that each user account was assigned a\n                                                                                                                           DECC Mechanicsburg,\n                                   demonstrated by an approved Form        Security Profile that restricts access by\n                                                                                                                           the Justification for\n                                   DD2875, request for system access.      module or program.\n                                                                                                                           Access (block 13) on\n                                   TSO PE Database Administrator also\n                                                                                                                           the DD2875 Access\n                                   assigns security profiles to            Requested a complete DCPS user list.\n                                                                                                                           Request Form was not\n                                   development users through the           Selected a sample of users from the list\n                                                                                                                           specific to job duties.\n                                   Integrated Database Management          and inspected heir Form DD2875s that\n                                   System (IDMS) which restricts           detail the user\xe2\x80\x99s justification for access,\n                                                                                                                           DISA DECC\n                                   access to program libraries and         security clearance level and inspect for\n                                                                                                                           Mechanicsburg\n                                   databases.                              existence and approval by management.\n                                                                                                                           management indicated\n                                                                                                                           the testing exception\n                                                                                                                           was caused by an\n                                                                                                                           administrative error and\n                                                                                                                           the exception was not\n                                                                                                                           significant enough to\n                                                                                                                           prevent the control\n                                                                                                                           activity from meeting\n                                                                                                                           its related control\n                                                                                                                           objective.\n\n\n                                                                  103\n\n\x0cNo.   Control Objectives   Control Activities          Tests Performed     Results of Testing\n\n\n                                                                         DFAS Saufley Field\n\n                                                                         For 2 of the 45 sampled\n                                                                         DCPS users from\n                                                                         DFAS Saufley Field,\n                                                                         the Justification for\n                                                                         Access (block 13) on\n                                                                         the DD2875 Access\n                                                                         Request Form was not\n                                                                         complete.\n\n                                                                         For 4 of the 45 sampled\n                                                                         DCPS users from\n                                                                         DFAS Saufley Field,\n                                                                         the Justification for\n                                                                         Access (block 13) on\n                                                                         the DD2875 Access\n                                                                         Request Form was not\n                                                                         specific to job duties.\n\n                                                                         One of the 45 sampled\n                                                                         DCPS users from\n                                                                         DFAS Saufley Field did\n                                                                         not check the box\n                                                                         indicating they received\n                                                                         IA Training and\n                                                                         Awareness Certification\n                                                                         on the DD2875 Access\n                                                                         Request Form.\n\n                                                                         Two of the 20\n                                                                         terminated DFAS\n                                                                         Saufley Field\n                                                                         employees and\n                                                                         contractors appear to\n\n\n                                                104\n\n\x0cNo.       Control Objectives                 Control Activities                       Tests Performed                     Results of Testing\n                                                                                                                        not have been removed\n                                                                                                                        from DCPS within 24\n                                                                                                                        hours of the user\n                                                                                                                        deactivation request\n                                                                                                                        sent in the personnel\n                                                                                                                        action email by Human\n                                                                                                                        Resources.\n\n                                                                                                                        DFAS management\n                                                                                                                        indicated the testing\n                                                                                                                        exception was caused\n                                                                                                                        by an administrative\n                                                                                                                        error and the exception\n                                                                                                                        was not significant\n                                                                                                                        enough to prevent the\n                                                                                                                        control activity from\n                                                                                                                        meeting its related\n                                                                                                                        control objective.\n\n                                                                                                                        DFAS Saufley Field\n      Passwords, tokens, or other    9.2.1 DFAS Saufley Field             DFAS Saufley Field\n9.2\n      devices are used to identify\n                                     User IDs and passwords are           Observed that each user account was           DCPS does not use\n      and authenticate users.\n                                     configured according to DoD          assigned a Security Profile that restricted   complex password\n                                     standards.                           access by module and program.                 configuration. ACF2\n                                                                                                                        does support complex\n                                                                          Observed the DCPS application to\n                                                                                                                        passwords; however,\n                                                                          confirm that users needed a valid User ID\n                                                                                                                        DISA and DFAS are in\n                                                                          and password to gain access to the\n                                                                                                                        the process of\n                                                                          system.\n                                                                                                                        transitioning the\n                                                                          Inspected system parameters to make           security configuration\n                                                                          certain that the system requires a User ID    for MZF to allow the\n                                                                          and password.                                 use of complex\n                                                                                                                        passwords. In addition,\n                                                                                                                        DCPS does not require\n                                                                                                                        that at least four\n\n\n\n                                                                   105\n\n\x0cNo.   Control Objectives            Control Activities                          Tests Performed                    Results of Testing\n                                                                                                                 characters be changed\n                                                                                                                 when a new password is\n                                                                                                                 created.\n\n\n\n\n                                                                                                                 DISA DECC\n                           9.2.2 DISA DECC Mechanicsburg            DISA DECC Mechanicsburg\n                                                                                                                 Mechanicsburg\n                           Multiple layers of access controls are   Confirmed through inquiry and\n                           used including; Common Access            observation that passwords are used to       Currently ACF2\n                           Card (CAC) and personal                  authenticate users.                          password parameters\n                           identification number, DCPS user ID                                                   are not configured to\n                                                                    Inspected system parameters to make\n                           and password, and an RSA SecurID                                                      require the use of\n                                                                    certain that the system requires a User ID\n                           for Database Administration,                                                          special characters.\n                                                                    and password.\n                           Configuration Management,\n                           Security, and Tech Support.              Inspected the Security Account Creation      ACF2 is not configured\n                                                                    Guide to confirm that authentication         to require users to\n                                                                    devices are in compliance with DoD           change at least four\n                                                                    standards.                                   characters of their\n                                                                                                                 previously used\n                                                                                                                 passwords.\n\n\n\n\n                                                           106\n\n\x0cNo.        Control Objectives                  Control Activities                         Tests Performed                   Results of Testing\n\n10     Network and Telecommunications\n\n       Telecommunication defense      10.1.1 DISA DECC Mechanicsburg          DISA DECC Mechanicsburg                     No relevant exception\n10.1\n       capabilities are                                                                                                   noted.\n                                      SMC ME is in the process of             Inquired with security personnel if DCPS\n       implemented.\n                                      encrypting all data streams to the      data are transmitted through a commercial\n       Unclassified, sensitive data   FIPS-140-2 standard                     or wireless network. Inquired with\n       transmitted through a                                                  security personnel to confirm that NIST\n       commercial or wireless                                                 cryptography was used to protect\n       network are encrypted using                                            information when the information\n       NIST-certified                                                         transmitted over commercial or wireless\n       cryptography.                                                          networks.\n\n\n       Conformance testing that       10.4.1 DISA DECC Mechanicsburg          DISA DECC Mechanicsburg                     No relevant exception\n10.4\n       includes periodic,                                                                                                 noted.\n                                      DISA SMC ME performs monthly            Confirmed through inquiry that\n       unannounced, in-depth\n                                      scans to check for any DCPS             conformance testing are performed that\n       monitoring and provides for\n                                      network vulnerabilities. DCPS           include periodic, unannounced, in-depth\n       specific penetration testing\n                                      system and hardware are reviewed        monitoring and provided for specific\n       to ensure compliance with\n                                      through periodic SRR reviews that       penetration testing to confirm compliance\n       all vulnerability mitigation\n                                      are conducted by FSO on the DCPS        with vulnerability mitigation procedures\n       procedures is planned,\n                                      mainframe domain.                       was planned, scheduled, and conducted.\n       scheduled, and conducted.\n                                                                              Obtained and inspected documentation\n                                                                              produced from this conformance testing\n                                                                              to confirm vulnerability scans were\n                                                                              completed.\n\n\n\n\n                                                                       107\n\n\x0cNo.        Control Objectives                  Control Activities                          Tests Performed                     Results of Testing\n\n12     Access Monitoring\n\n       Audit trails are maintained.   12.1.1 DISA DECC Mechanicsburg           DISA DECC Mechanicsburg                       No relevant exception\n12.1\n                                      and DFAS Saufley Field                                                                 noted.\n                                                                               Confirmed through inquiry that audit\n                                      A security audit trail is implemented    trails are implemented for the MZF\n                                      for each system that documents the       LPAR.\n                                      identity of each person/device having\n                                                                                Inspected the audit trails available and\n                                      access to a system, the time of that\n                                                                               confirmed what information is being\n                                      access, user activity, and any actions\n                                                                               logged.\n                                      which attempt to change security\n                                      levels or privileges established for     Confirmed through inquiry and\n                                      the user. The management of the          observation that audit trails are\n                                      audit trail is maintained by DISA.       maintained for at least 5 years.\n                                                                               Confirmed through inquiry and inspection\n                                                                               that the log is reviewed and signed off by\n                                                                               management.\n\n\n                                                                               DFAS Saufley Field\n                                                                               Confirmed through inquiry that audit\n                                                                               trails are implemented for the application.\n                                                                               Inspected the audit trails available and\n                                                                               confirmed what information is being\n                                                                               logged.\n                                                                               Confirmed through inquiry and\n                                                                               observation that audit trails are\n                                                                               maintained for at least 5 years.\n                                                                               Confirmed through inquiry and inspection\n                                                                               that the log is reviewed and signed off by\n                                                                               management.\n\n\n\n\n                                                                      108\n\n\x0cNo.        Control Objectives                    Control Activities                         Tests Performed                    Results of Testing\n\n\n\n                                       12.1.3 DFAS Saufley Field                DFAS Saufley Field                           No relevant exception\n                                                                                                                             noted.\n                                       Adheres to DITSCAP requirements          Inspected the policy for protection of the\n                                       for system access and content,           audit trails and confirmed the policy\n                                       retention, and protection of audit       limits access to audit trails.\n                                       trails. The most recent testing of\n                                                                                Confirmed through inquiry and\n                                       compliance with DITSCAP guidance\n                                                                                observation that audit logs included\n                                       is contained in the DCPS SSAA,\n                                                                                activities that might modify, bypass, or\n                                       Appendices H and P.\n                                                                                negate safeguards controlled by the\n                                                                                system and that Audit trails are protected\n                                                                                against unauthorized access,\n                                                                                modification, or deletion.\n                                                                                Observed that only select/limited number\n                                                                                of individuals such as the Information\n                                                                                System Security officer (ISSO) and\n                                                                                Information Assurance Manager have\n                                                                                access to the audit trails.\n\n\n       Suspicious network access       12.4.2 DFAS Saufley Field                 DFAS Saufley Field                          No relevant exception\n12.4\n       activity is investigated and                                             Inquired with personnel to confirm that      noted.\n                                       DMI controls the configuration of\n       appropriate action is taken.                                             the use of instant messaging is against\n                                       computers and instant messaging\n                                                                                DoD policy and determined how they\n                                       program are not authorized. TSO PE\n                                                                                control instant messaging. Inspected\n                                       monitors application usage through\n       Instant messaging traffic to                                             firewall rules to confirm instant\n                                       an automated software auditing\n       and from instant messaging                                               messaging is blocked.\n                                       application that runs regularly when\n       clients that are\n                                       users logon to their workstation.\n       independently configured by\n       end users and that interact     Instant messaging programs are\n       with a public service           identified as part of that auditing\n       provider is prohibited within   process.\n       DoD information systems.\n\n\n\n                                                                         109\n\n\x0cNo.        Control Objectives                Control Activities                         Tests Performed                   Results of Testing\n\n13     DCPS Change Management\n\n       DISA or DFAS initiated       13.1.1 DISA DECC Mechanicsburg          DISA DECC Mechanicsburg                     No relevant exception\n13.1\n       application, software, or                                                                                        noted.\n                                    Procedures addressing the testing of    Obtained and inspected the change\n       hardware modifications are\n                                    patches, upgrades, and new AIS          management policies and procedures for\n       authorized, and the\n                                    applications are documented.            systems software to confirm that they\n       documentation is\n                                                                            exist and are current.\n       maintained.                  All changes to information systems\n                                    at DISA SMC-ME are brought              Requested the full population of\n                                    before at least one of two Change       code/database modifications from the\n                                    Control Boards (CCBs). DISA             DCPS production code library which\n                                    headquarters has Executive software     occurred during the audit period under\n                                    CCB which is responsible for            review (7/01/06 through 6/30/07) and\n                                    reviewing all major system changes      traced a sample of modifications to an\n                                    such as new versions, new software,     approved System Change Request (SCR)\n                                    and the removal of software. There is   or PTR.\n                                    also a local CCB at DISA SMC-ME\n                                                                            For each modification selected, obtained\n                                    that meets on a weekly basis. The\n                                                                            the change request document and\n                                    local CCB is responsible for\n                                                                            confirmed that it was approved by key\n                                    reviewing all operating system\n                                                                            personnel prior to implementation.\n                                    upgrades and fixes. The local CCB is\n                                    also responsible for alerting the       Confirmed that each modification was\n                                    customer to the change and obtaining    tested and the test results were approved\n                                    the customer approval before            prior to the modification being\n                                    proceeding. Also, the local CCB is      implemented.\n                                    responsible for maintaining the\n                                                                            Confirmed the modification is\n                                    change control records.\n                                                                            documented by inspecting the SCR,\n                                                                            System Test Plan (STP); detailed system\n                                                                            specifications; and unit, system and\n                                    13.1.2 DISA DECC Mechanicsburg\n                                                                            acceptance testing results.\n                                    The DISA Executive Software CCB\n                                    consists of representatives of DISA\n                                    management as well as all the DISA-\n                                    SMCs. The DISA SMC-ME local\n\n\n                                                                    110\n\n\x0cNo.   Control Objectives            Control Activities                          Tests Performed                     Results of Testing\n                           CCB consists of all department heads\n                           and the information assurance\n                           manager (IAM).\n\n\n                                                                                                                  DFAS Saufley Field\n                           13.1.3 DFAS Saufley Field                DFAS Saufley Field\n                           Testing of changes follows the           Using the same sample selected for            Two of the 45 sampled\n                           approved process outlined in the         control objective 13.1, confirmed that the    DFAS Saufley Field\n                           DFAS TSO Business Process                DCPS application changes followed the         test scripts did not\n                           Handbook prior to implementation.        appropriate test and migration process by     reference the SCR\n                                                                    inspecting the following for                  number.\n                           A Testing Deficiency Report is\n                                                                    completeness, authorization and software\n                           issued for SCRs with negative test\n                                                                    quality requirements:                         Testing results\n                           results and the TDR is routed to the\n                                                                       \xe2\x80\xa2 system test plan (STP);                  documentation was not\n                           appropriate individuals. If necessary,\n                                                                                                                  maintained for 3 of the\n                           an amendment is issued and\n                                                                      \xe2\x80\xa2    detailed system specifications; and    45 sampled DFAS\n                           processes through same approval\n                                                                                                                  Saufley Field SCRs.\n                           process as an SCR.\n                                                                      \xe2\x80\xa2    unit, system and acceptance\n                                                                           testing results.                       No documentation\n                                                                                                                  exists which states\n                                                                    Inquired with DCPS security personnel as      which configuration\n                                                                    to their roles and responsibilities for the   items (CIs) are required\n                                                                    release of security-related changes           to be tested prior to\n                                                                    included in DCPS Releases.                    implementation.\n                                                                    Observed release notes for the major\n                                                                                                                  DFAS management\n                                                                    DCPS production releases that occurred\n                                                                                                                  indicated the testing\n                                                                    during the audit period.\n                                                                                                                  exception was caused\n                                                                                                                  by an administrative\n                                                                                                                  error and the exception\n                                                                                                                  was not significant\n                                                                                                                  enough to prevent the\n                                                                                                                  control activity from\n                                                                                                                  meeting its related\n                                                                                                                  control objective.\n\n\n                                                           111\n\n\x0cNo.        Control Objectives                 Control Activities                        Tests Performed                    Results of Testing\n\n                                     13.1.4 DFAS Saufley Field              DFAS Saufley Field                           No relevant exception\n                                                                                                                         noted.\n                                     Release management staff is            Using the same sample selected for\n                                     responsible for ensuring that all      control objective 13.1, confirmed that the\n                                     programs are labeled and inventoried   changes had been labeled, assigned an ID,\n                                     within the appropriate library.        and inventoried.\n\n\n       New and modified              13.2.1 DFAS Saufley Field              DFAS Saufley Field                           DFAS Saufley Field\n13.2\n       application, hardware, and\n                                     Release Management staff are           Using the same sample selected for           DFAS Saufley Field\n       operating system or utility\n                                     responsible for distribution or        control objective 13.1, confirmed that the   does not have a policy\n       software is tested and\n                                     implementation of new or revised       change followed the appropriate              outlining what types of\n       controlled according to\n                                     software.                              distribution process by inspecting the       SCR configuration\n       specific criteria.\n                                                                            release authorization report for             items (CI) are tested\n                                                                            completeness and authorization.              prior to\n                                                                                                                         implementation.\n                                                                                                                         DFAS management\n                                                                                                                         indicated the testing\n                                                                                                                         exception was caused\n                                                                                                                         by an administrative\n                                                                                                                         error and the exception\n                                                                                                                         was not significant\n                                                                                                                         enough to prevent the\n                                                                                                                         control activity from\n                                                                                                                         meeting its related\n                                                                                                                         control objective.\n\n       Emergency changes are         13.3.1 DFAS Saufley Field              DFAS Saufley Field                           No relevant exception\n13.3\n       promptly approved.                                                                                                noted.\n                                     A configuration management plan is     Using the same sample selected for\n                                     implemented for software               control objective 13.1, confirmed through\n                                     modifications; contained in the        inspection that the DCPS emergency\n                                     DFAS TSO Business Process              changes been authorized by the Program\n                                     Handbook. All modifications must       Manager and/or Software Director and\n                                     go through the system change request   traced each SCR or PTR identified above\n                                     (SCR) process and receive proper\n\n                                                                    112\n\n\x0cNo.       Control Objectives               Control Activities                          Tests Performed                    Results of Testing\n                                  approvals prior to implementation,\n                                                                           to the Release Authorization Report to\n                                  including emergency changes made\n                                                                           confirm it has been approved by the\n                                  during business hours. Emergency\n                                                                           Software Director.\n                                  changes which arise during non-\n                                  business hours may be implemented\n                                  prior to SCR approval; however, the\n                                  change is run through the SCR\n                                  process at the start of the next\n                                  business day.\n\n\n       Movement of programs and   13.4.1 DFAS Saufley Field                DFAS Saufley Field                           No relevant exception\n13.4\n       data among libraries is                                                                                          noted.\n                                  The System Administrator manages         Observed the DCPS Librarian to\n       controlled.\n                                  access rights to the program libraries   understand how the development and\n                                  and databases through ACF2. The          production libraries are controlled.\n                                  Database Administrator grants access\n                                                                           Inspected the access control lists for the\n                                  to the appropriate\n                                                                           production and development libraries\n                                  development/production\n                                                                           (directories) to confirm that only\n                                  environments through IDMS. IDMS\n                                                                           authorized personnel have access.\n                                  controls versioning in both the\n                                  development and production\n                                  environments.\n\n\n       Use of public domain and   13.5.1 DFAS Saufley Field                DFAS Saufley Field                           No relevant exception\n13.5\n       personal software is                                                                                             noted.\n                                  DFAS workstations and LANs do not        Inspected the DCPS SSAA to confirm\n       restricted.\n                                  allow any use of public domain           that personal software is restricted.\n                                  and/or personal software. DCPS is\n                                                                           Inspected a list of approved software to\n                                  on the mainframe; all utilities needed\n                                                                           confirm such a list exists.\n                                  are on the mainframe (which is\n                                  DISA-driven).                            Confirmed by re-performance that the\n                                                                           control to prevent the use of public\n                                                                           domain software is operating effectively.\n                                                                           .\n\n\n                                                                  113\n\n\x0cNo.        Control Objectives                   Control Activities                         Tests Performed                    Results of Testing\n\n\n\n       Changes to the DoD              13.6.1 DISA DECC Mechanicsburg          DISA DECC Mechanicsburg                      No relevant exception\n13.6\n       information system are                                                                                               noted.\n                                       All changes made at DISA SMC-ME         Using the same sample selected for\n       assessed for IA and\n                                       are captured in the Change              control objective 13.1, obtained the CCB\n       accreditation impact prior to\n                                       Management System (Change               meeting minutes that included the\n       implementation.\n                                       Management 2000). Information           discussion of the DCPS changes and\n                                       included in each change record is the   confirmed whether management assessed\n                                       requested time and date of              the change for IA and accreditation\n                                       implementation, the action to occur,    impact.\n                                       and justification of the action. The\n                                                                               Established whether the changes were\n                                       change is then presented to the\n                                                                               approved by the CCB and testing has\n                                       Change Control Board (CCB) where\n                                                                               been completed and approved prior to\n                                       the change is assessed for IA and\n                                                                               implementation into the production\n                                       accreditation impact. The change is\n                                                                               environment.\n                                       only implemented after approval\n                                       from the CCB and testing is\n                                       completed and reviewed\n                                                                               DFAS Saufley Field\n                                                                               Using the same sample selected for\n                                       13.6.2 DFAS Saufley Field               control objective 13.1, confirmed that the\n                                                                               change record includes the requested time\n                                       All changes made are captured in the\n                                                                               and date of implementation, the action to\n                                       Change Management Information\n                                                                               occur, and justification of the action.\n                                       System (CMIS). Information\n                                       included in each change record is the\n                                       requested time and date of\n                                       implementation, the action to occur,\n                                       and justification of the action. In\n                                       addition, all changes are assessed by\n                                       the IA Officers.\n\n\n\n\n                                                                       114\n\n\x0cNo.       Control Objectives             Control Activities                       Tests Performed                   Results of Testing\n\n14     Data Retention\n\n       Data and program backup   14.1.1 DFAS Saufley Field            DFAS Saufley Field                          No relevant exception\n14.1\n       procedures have been                                                                                       noted.\n                                 Data and program backup procedures   Obtained the Business Continuity Plan to\n       implemented.\n                                 have been established by DFAS        confirm that it specifies the data and\n                                 Management                           program backup procedures that have\n                                                                      been implemented related to DCPS.\n                                                                      Inquired with key personnel that\n                                 DISA DECC Mechanicsburg\n                                                                      resources are dedicated to the periodic\n                                 Data and program backup procedures   backing-up and restoration of data stored\n                                 have been established by DFAS        on network share drives.\n                                 Management and are included in the\n                                 DISA SMC ME Business Continuity\n                                 Plan as prescribed in the SLA        DISA DECC Mechanicsburg\n                                 between DISA and DFAS.\n                                                                      Obtained the Business Continuity Plan to\n                                                                      confirm that it specifies the data and\n                                                                      program backup procedures that have\n                                                                      been implemented related to DCPS.\n                                                                      Inquired with key personnel that\n                                                                      resources are dedicated to the periodic\n                                                                      backing-up and restoration of data stored\n                                                                      on network share drives.\n                                                                      Inquired how often backups are\n                                                                      performed, shipped off site and\n                                                                      maintained offsite in a fire rated\n                                                                      container.\n                                                                      Selected a sample of date\xe2\x80\x99s which\n                                                                      occurred during the audit period and\n                                                                      obtained the backup logs. Confirmed\n                                                                      through inspection that the log is\n                                                                      completed based upon the backup policies\n                                                                      and procedures.\n\n                                                              115\n\n\x0c\x0cSection IV: Supplemental Information Provided \n\n              by DFAS and DISA \n\n\n\n\n\n                     117\n\n\x0c\x0cIV. Supplemental Information Provided by DFAS and DISA\nIntroduction\n\nDFAS and DISA have prepared this report section and it is included to provide\ninformation DFAS and DISA believes will be of interest to user organization. However,\nthis information is not covered within the scope or control objectives established for the\nSAS 70 review. Specifically, this section includes a summary of procedures that DFAS\nand DISA have implemented to enable them to recover from a disaster affecting a Payroll\nOffice, the TSOPE, or DECC SMC Mechanicsburg.\n\nThis information has not been subjected to the procedures applied to the\nexamination of the description of controls presented in Sections II and III of this\nreport. As a result, the DoD OIG expresses no opinion regarding the completeness\nand accuracy of this information.\n\nTSOPE Specific Business Continuity Plans\n\nThe DCPS production support Continuity of Operations Plan (COOP) provides an action\nplan to be implemented when a disaster or impending threat would render DCPS\nproduction support inoperable (for example, hurricane, damage to TSOPE facilities due\nto fire, etc.). This plan is evaluated and updated on an annual basis and is implemented\nlocally at each of the established DCPS Payroll Offices. If an impending threat or event\noccurs, production support control for DCPS is transferred to an alternate-processing site.\nCurrently, that site is DFAS Indianapolis, Indiana. The COOP includes the names of\nDCPS staff members who will serve as a pool of resources to be mobilized to execute the\nplan and a list of documentation and supplies that are necessary to support the mobilized\nteam.\n\nTeam members are composed of DCPS development staff members across many\ndivisions and branches. TSOPE designates two members of the management team to be\nresponsible for COOP execution. One is mobilized with the team and is responsible for\nteam activities and communication with TSOPE while deployed to the COOP recovery\nsite. The other serves as the team\xe2\x80\x99s liaison at TSOPE and is responsible for relaying\ncurrent operational status, current area weather conditions, and other pertinent\ninformation to the mobilized team. The team is further divided into two teams, with each\ncovering a 12-hour shift. Team leaders are appointed for the respective shift teams. The\nDCPS project management staff coordinate and are involved in each step included in\nplanning and executing the COOP. Although this plan works for any type of disaster\nwhere production support becomes inoperable, it has been successfully executed several\ntimes in the past few years during impending disastrous weather conditions, such as\nhurricanes.\n\nDECC Mechanicsburg Business Continuity Plans\n\nTo accommodate a major disaster at any major DISA processing center, DISA has\nestablished an Enterprise Business Continuity Program. The DISA plan uses multiple\ninternal locations and, for mainframe processing, uses the Assured Computing\nEnvironment infrastructure elements located at DECC SMC Mechanicsburg and Ogden.\nDECC SMC Mechanicsburg and Ogden is equipped with computational direct access\nstorage devices, and telecommunication resources necessary to provide a fully functional\nhost site with the capacity to support a major disaster at any DISA center with mainframe\nprocessing.\n                                           119 \n\n\x0cThe COOP support agreement between DFAS, as the customer, and DISA, as the provider of\nprocessing systems and communications services, describes a process for restoring host-site\nprocessing in the event of a major disaster. The plan also addresses the timely resolution of\nproblems during other disruptions that adversely affect DCPS processing. The plan, as it relates\nto DCPS, details data restoration procedures for the MZF z/OS operating system, the DCPS\nIntegrated Database Management System, and related mid-tier servers and communication\ndevices. Replicated data and backup tapes containing incremental daily and complete weekly\nbackups are rotated offsite to designated locations, on a predetermined schedule, for storage.\n\nThe Crisis Management Team at DECC SMC Mechanicsburg is responsible for declaring that a\ndisaster has occurred and activating the Business Continuity Plan. Once a disaster has been\ndeclared, the Crisis Management Team activates the following response teams: Communications\nTeam, Recovery Coordination Team, Site Recovery Team, and the Crisis Support Team. Each\nteam has a specific set of responsibilities defined in the Business Continuity Plan. The contact\ninformation for each individual on each team is also included in the Business Continuity Plan.\nThe plan is required to be tested on an annual basis. The Business Continuity Plan was tested in\nNovember 2005. TSOPE personnel participate in the yearly COOP exercise to ensure that the\nprocess works correctly and documentation is updated appropriately.\n\nDFAS Indianapolis 592 Report Policies and Procedures\n\nPolicies and procedures for performing the 592 Payroll for Personal Services Payroll\nCertification and Summary Report reconciliation has not been developed and documented at the\nDFAS Indianapolis Payroll Office. DFAS Indianapolis has been using part of the DFAS Denver\nPayroll SOP and is developing a uniform DFAS Indianapolis SOP for performing the 592\nPayroll for Personal Services Payroll Certification and Summary Report reconciliation as the\noffice begins processing payroll for additional databases as the Denver Payroll office closes due\nto Base Realignment and Closure.\n\nDCPS Password Configuration\n\nThe access control software for the environment on which DCPS resides, ACF2 supports\ncomplex passwords; however, complex passwords are not used. DISA and DFAS are in the\nprocess of transitioning the security configuration for the environment to allow for the use of the\ncomplex passwords.\n\n\n\n\n                                            120\n\n\x0c    Acronyms and Abbreviations \n\n\n\nACF2      Access Control Facility 2\nATO       Authority to Operate\nBBG       Broadcast Board of Governors\nBRAC      Base Realignment and Closure\nCAC       Common Access Card\nCBT       Computer Based Training\nCCB       Configuration Control Board\nCOOP      Continuity of Operations Plan\nCSR       Customer Service Representative\nDCPS      Defense Civilian Pay System\nDECC      Defense Enterprise Computing Center\nDFAS      Defense Finance and Accounting Service\nDISA      Defense Information Systems Agency\nDITSCAP   Department of Defense Information Technology Security\n            Certification and Accreditation Process\nDoD       Department of Defense\nDoE       Department of Energy\nEOP       Executive Office of the President\nEPA       Environmental Protection Agency\nFSO       Field Security Operations\nGCC       General Computer Controls\nHHS       Health and Human Services\nIA        Information Assurance\nIAVA      Information Assurance Vulnerability Alerts\nIDMS      Integrated Database Management System\nIS        Information Security\nISSO      Information System Security Officer\nLANS      Local Area Networks\nLPAR      Logical Partition\nMAC       Mission Assurance Category\nMOA       Memorandum of Agreement\nNSA       National Security Agency\nOIG       Office of the Inspector General\nOLQ       Online Queries\nPIIR      Personnel Interface Invalid Report\nSAAR      Systems Access Authorization Request\nSCR       System Change Request\nSLA       Service Level Agreement\nSMC       System Management Center\n\n                                     121 \n\n\x0cSMO     System Management Office\nSOP     Standard Operating Procedure\nSRR     System Readiness Review\nSSAA    System Security Authorization Agreement\nSSN     Social Security Number\nSTIG    Security Technical Implementation Guide\nTASO    Terminal Area Security Officer\nTSO     Technology Services Organization\nTSOPE   Technology Services Engineering Organization in Pensacola\nTSP     Thrift Savings Plan\nVA      Veterans Affairs\nVMS     Vulnerability Management System\nVPN     Virtual Private Network\nWBT     Web Based Training\n\n\n\n\n                                    122\n\n\x0cReport Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense for Networks and Information Integration/DoD Chief\n   Information Officer\nDirector, Program Analysis and Evaluation\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Command\nInspector General, U.S. Joint Forces Command\n\nOther Defense Organizations\nDirector, National Security Agency\nDirector, Defense Finance and Accounting Service\nInspector General, Defense Information Systems Agency\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\nGeneral Accountability Office\n\nCongressional Committees and Subcommittees, Chairman and\nRanking Minority Members\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\n\n\n                                          123 \n\n\x0cCongressional Committees and Subcommittees, Chairman and\nRanking Minority Member (cont\xe2\x80\x99d)\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee on\nGovernment Reform\nHouse Subcommittee on National Security, Emerging Threats, and International Relations,\nCommittee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the\nCensus, Committee on Government Reform\n\n\n\n\n                                               124\n\n\x0cTeam Members\nThe Defense Financial Auditing Service, Department of Defense Office of Inspector General, in\nconjunction with contract auditors from Acuity Consulting, Inc., produced this report. Personnel\nfrom the Technical Assessment Directorate and Quantitative Methods Directorate, DoD OIG,\nalso contributed to the report.\n\nPaul J. Granetto\nPatricia A. Marsh\nHolly Williams\nFrank C. Sonsini\nKenneth H. Stavenjord\nDonna A. Roberts\nCharles S. Dekle\nErnest G. Fine\nMary A. Hoover\nAnissa M. Nash\nCarl L. Adams\nDebra J. DeJonge\nCassie C. Lin\nBrian Royer\nKiana E. Silver\nAlberto J. Calimano-Colon\n\x0c\x0c"